Google disclosed that it recently discovered a bug that caused some portion of G Suite users to have their passwords stored in plain text. The bug has been around since 2005, though Google says that it can’t find any evidence that anybody’s password was improperly accessed. It’s resetting any passwords that might be affected and letting G Suite administrators know about the issue.
G Suite is the corporate version of Gmail and Google’s other apps, and apparently the bug came about in this product because of a feature designed specifically for companies. Early on, it was possible for your company administrator for G Suite apps to set user passwords manually say, before a new employee came on board and if they did, the admin console would store those passwords in plain text instead of hashing them. Google has since removed that capability from administrators.
Google’s post goes to great detail to explain how cryptographic hashing works, in an effort to make sure the nuances surrounding this bug are clear. Though the passwords were stored in plain text, they were at least stored in plain text inside Google’s servers, so they’d be harder to get to than if they were just out on the open internet. Although Google didn’t say so explicitly, it seems like it wants to also make sure people don’t lump this bug in the same category as other plain text password problems where those passwords have leaked out.
Google didn’t characterize just how many users might have been affected by this bug beyond saying it affected “a subset of our enterprise G Suite customers” presumably anybody who was using G Suite in 2005. And though Google couldn’t find evidence that anybody used this access maliciously, it’s not entirely clear who would have had access to these plain text files either.