Google says it recently notified a subset of its enterprise G Suite customers that some passwords were stored in the company's encrypted internal systems unhashed.
The reported G Suite issue affects business users only–no free consumer Google accounts were affected–and Google says it is working with enterprise administrators to ensure that their users reset their passwords. The company's investigation has shown no evidence of improper access to or misuse of the affected G Suite credentials.
Google’s policy is generally to store passwords with cryptographic hashes that mask those passwords to ensure their security. When you set your password, instead of remembering the exact characters of the password, Google scrambles it with a “hash function”, so it becomes something like “72i32hedgqw23328”, and that’s what we store with your username. Both are then also encrypted before being saved to disk. The next time you try to sign in, Google again scrambles your password the same way. If it matches the stored string then you must have typed the correct password, so your sign-in can proceed.
Although it is nearly impossible to unscramble a hashed password, if you forget your password, Google cannot show you what it was.
Google says that in 2005, an admin console stored a copy of the unhashed password. This issue has been fixed and Google has seen no evidence of improper access to or misuse of the affected passwords.
In January 2019, Google also discovered they had inadvertently stored a subset of unhashed passwords in the company's secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, Google says it has seen no evidence of improper access to or misuse of the affected passwords.
With this latest development, Google becomes the latest company to join Facebook, GitHub, Instagram, and Twitter to suffer from embarrassing plaintext password bugs.