Google Has Been ‘Accidentally’ Storing Passwords in Plaintext Since 2005

[wwzsocki]

Google typically stores its passwords in a cryptographically-scrambled hash. However, due to the bug, G Suite’s password recovery feature for administrators somehow allowed the passwords to be stored in the admin’s control panel. As of recently, Google has disabled the feature causing the security risk.

However, for a long time, the passwords were accessible to both authorized Google personnel and malicious hackers.

The plaintext bug is nothing new. In fact, Twitter and Facebook have both dealt with similar issues in the past year or so. However, Google is taking this a step further by auto-resetting passwords out of caution. So, kudos for taking that extra measure.

The trouble is, this bug has existed since at least 2005. Although the company claims the passwords were never compromised, 14 years is a long time for this to go under the radar.

If you’re a G Suite user, you should really add two-factor authentication and pray that your password was never compromised.


https://beincrypto.com/google-has-been-accidentally-storing-passwords-in-plaintext-since-2005/

[1714645996]

1714645996

[1714645996]

1714645996

[AB de Royse777]

~snip~

If you’re a G Suite user, you should really add two-factor authentication and pray that your password was never compromised.


https://beincrypto.com/google-has-been-accidentally-storing-passwords-in-plaintext-since-2005/

Holly cow!
I use gmail account, does that mean the G suite password is the same? I mean gmail and G suite is same thing right? I am just confuse with this G suite?

[wwzsocki]

I use gmail account, does that mean the G suite password is the same? I mean gmail and G suite is same thing right? I am just confuse with this G suite?

No, I don't think so. Only the admin panel in G Suite was affected.

G Suite is an integrated suite of secure, cloud-native collaboration and productivity apps powered by Google AI. Includes Gmail, Docs, Drive, Calendar, Meet and more.

This is what description says, here is a link https://gsuite.google.com/

I am sure a lot of people is using it, especially small businesses and companies.

[akamit]

No, I don't think so. Only the admin panel in G Suite was affected.

I don't use G Suite. Then will it affect gmail?
But I thought at first that we have one pass for all Google products & services.

So are we safe from this, I mean users of adsense, analytics, adwords ?

[wwzsocki]

I don't use G Suite. Then will it affect gmail?...
So are we safe from this, I mean users of adsense, analytics, adwords ?

I don't think so but I can't guarantee that. Try to read this article (link above) to know more about this problem and what is affected.

When I was reading this headline I thought this same "oh shit my email account affected?" but I think not because one has to use GSuie and log in using Admin panel.

But I can be wrong because I have never used G Suite only knew about it and to be honest I thought is an app  .

That is why I shared this because nobody knows how many people are using this tool, to be honest. Could be many or nobody.

[TryNinja]

I don't use G Suite. Then will it affect gmail?
But I thought at first that we have one pass for all Google products & services.

So are we safe from this, I mean users of adsense, analytics, adwords ?

If I understood correctly, yes.

According to the article, the flaw was on the admin password recovery page/featured.

Also, it says:

If you’re a G Suite user, you should really add two-factor authentication and pray that your password was never compromised.

Implying that normal users weren’t affected.

[suchmoon]

I use gmail account, does that mean the G suite password is the same? I mean gmail and G suite is same thing right? I am just confuse with this G suite?

G Suite is their business product that includes gmail among other things, so no, it's not the same and you're likely not affected if you don't use G Suite and don't have e.g. a corporate/branded google account through your job/school/etc.

However those who use G Suite would have the same account for EVERY google product, including Android phones etc so it's a major fuckup nonetheless.

[AB de Royse777]

~snip~

No, I don't think so. Only the admin panel in G Suite was affected.

G Suite is an integrated suite of secure, cloud-native collaboration and productivity apps powered by Google AI. Includes Gmail, Docs, Drive, Calendar, Meet and more.

This is what description says, here is a link https://gsuite.google.com/

I am sure a lot of people is using it, especially small businesses and companies.

Thank you, that's a relief from my side however this is something new to me. I hard about G Suite but never got interested to study about it. I thought it's another service extension of google like webmaster etc.

[wwzsocki]

I have seen that nobody is talking about this here so decided to warn community because is Google and even if only G Suite admin panel was affected this is still a big thing.

Especially if this was vulnerable for almost 15 years.

Lately, in our local section, we have talked about: "how safe are passwords in browsers?" and I think I have my answer now.