In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.
G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.
It’s basically a business version of everything Google offers.
The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.
If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed.
Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected.
Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years.
In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords.
Google says the company would be automatically resetting passwords for those users who do not change their passwords.