Google stored some G Suite passwords in unhashed form for 14 years
Google revealed that it recently discovered a bug that caused a subset of its enterprise G Suite customers to have their passwords stored in an unhashed — albeit encrypted — form for about 14 years.
“This is a G Suite issue that affects business users only — no free consumer Google accounts were affected — and we are working with enterprise administrators to ensure that their users reset their passwords,” Google said in a blog post disclosing the security lapse.
The company failed to specify exactly how many customers were affected this way. However, it went on to stress that it didn’t find any evidence of improper access.
G Suite is the company’s corporate version of Gmail and apps like Drive, Docs, and Hangouts, among others. This February, Google announced it had over 5 million paying businesses on its G Suite platform.
The issue stems from the way Google implemented password security in its core sign-in system. There are two different slip-ups at play here.
The first involves a G Suite feature available for IT staff since 2005. The tool, now no longer in existence, allowed them to set and recover users’ passwords via the admin console.
Google says the feature had been designed with an intent to onboard new employees, and help them sign into their accounts with passwords manually set by the admins. These passwords, according to the blog post, were not hashed.
Hashing is a standard security practice to protect user credentials by scrambling them, using a one-way encryption algorithm.
The company has a relatively good reputation when it comes to account security, so the fact this bug has been around for so long is a little disconcerting.
The second involves storing some unhashed user credentials for up to two weeks. This was discovered in January 2019 as it was troubleshooting new G Suite customer sign-ups, the search giant said.
With this latest development, Google becomes the latest company to join Facebook, GitHub, Instagram, and Twitter to suffer from embarrassing plaintext password bugs.
Back in May 2018, Twitter asked all its 330 million users to change their passwords after a bug exposed them in plaintext in an internal log. Then Facebook acknowledged earlier last March that it had been storing millions of user passwords in plaintext since 2012. A few weeks later, it expanded the scope of the security lapse to include millions of Instagram users.
Google’s case is a little different in that the passwords were eventually encrypted before they were stored on disk. This means, even if an attacker managed to get hold of your password, they would still have to unscramble it in order to gain access to your account.
A malicious interloper could theoretically use the search giant’s backend software to decrypt your password, although the scenario is extremely unlikely, as the attacker would’ve had to break into Google’s security infrastructure first without being detected.
Noting that both these security blunders have been fixed, Google urged users to make use of multi-factor authentication to thwart any account takeover attacks. It also apologized to its users for not following industry standards and promised to do better.
source thenextweb
Industry: Cyber Security News
Latest Jobs
-
- Cloud Architect- German Speaker
- Hungary
- Upto €48000 per year + bonus + benefits
-
As a Senior Pre-Sales Solutions Architect, you will play a pivotal role in driving our sales success by translating complex technical solutions into compelling proposals that resonate with our clients. You will collaborate closely with our sales teams to understand customer needs, design tailored solutions, and negotiate successful deals. Responsibilities: Solution Design: Develop comprehensive technical solutions that align with customer business objectives and industry best practices. Proposal Development: Create compelling proposals, including requirements gathering questionnaires, presentation materials, and Statements of Work (SOWs). Customer Engagement: Build strong relationships with clients, understanding their technical, business, and commercial requirements. Collaboration: Work closely with sales teams, delivery teams, and third-party partners to ensure successful project execution. Pricing Strategy: Define and deliver pricing strategies that align with customer needs and company objectives. Requirements: Experience in technical pre-sales or sales support roles. Proven track record in designing and delivering successful customer solutions. Strong technical foundation in areas such as VMware, Azure, AWS, cloud computing, and data center technologies. Excellent understanding of sales principles, account management, and negotiation techniques. Ability to explain complex technical concepts clearly and concisely. Experience working in international teams and supporting clients across multiple regions. Fluency in German and English is essential. Benefits: Competitive salary and benefits package Opportunity to work on challenging and rewarding projects Collaborative and supportive work environment Potential for career growth and advancement Please note that this role is focused on supporting German clients, but will also involve global client support as needed.
-
- Director Cyber Security Consulting Medical / Biotech / Biopharma. United Kingdom
- United Kingdom
- Generous salary, uncapped bonus, travel and usual benefits.
-
CH8431 Director Cyber Security Consulting Medical / Biotech / Biopharma. United Kingdom Looking to make Security Partner within 2-3 years? Do you have current experience selling / delivering cyber consulting & advisory services into Medical / Biotech / Biopharma? If so, we would like to speak with you. Apply today for a discreet conversation. This is a UK based opportunity. Current Cyber security consulting experience is essential, as is a network into the Pharmaceutical / Healthcare industry. Package- Generous salary, uncapped bonus, travel and usual benefits. 07884666351 | chris.holt@dclsearch.com
-
- Director Cyber Security Consulting Pharmaceutical / Healthcare. United Kingdom
- United Kingdom
- Generous salary, uncapped bonus, travel and usual benefits.
-
CH8430 Director Cyber Security Consulting Pharmaceutical / Healthcare. United Kingdom Looking to make Security Partner within 2-3 years? Do you have current experience selling / delivering cyber consulting & advisory services into Pharmaceutical / Healthcare? If so, we would like to speak with you. Apply today for a discreet conversation. This is a UK based opportunity. Current Cyber security consulting experience is essential, as is a network into the Pharmaceutical / Healthcare industry. Package- Generous salary, uncapped bonus, travel and usual benefits. 07884666351 | chris.holt@dclsearch.com
-
- Privileged Access Management (PAM) Specialist
- Germany
- upto €700 per day
-
We are looking for a Privileged Access Management (PAM) specialist to help us redesign our customer's administration environment and implement a PAM tool. The project is divided into two phases: a rough concept phase and a detailed concept phase. We need someone with deep knowledge of ITIL V4, product provisioning, automation, and standardization, as well as good knowledge of the cloud environment, Enterprise Vault, requirements documentation, and analysis. We also need someone with strong communication and team skills Ideally you will have experience with CyberArk, we do require someone who is fluent in German for this contract