Google revealed a bug on Tuesday that left enterprise G Suite passwords stored incorrectly for the last 14 years so that they were encrypted but unhashed. It’s a bug that could have allowed Google employees to access credentials — but Google was quick to point out no such access was detected.
The mistake only impacts business G Suite users, free users of Google products are unaffected.
“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” said Suzanne Frey, Google Cloud’s Vice President of engineering.
Hashing is a useful technique in cryptography that allows Google to give you access to your accounts without knowing your password. Google’s sign-in system can match the hash — a numeric representation of the password — with the hash Google has stored. It’s a key way to scramble and further secure your account credentials.
The bug revealed today was traced back to a tool built in 2005 that allowed administrators to set passwords for new employees. The goal was to help with tasks like onboarding new users. But the implementation was flawed and passwords stored using this tool were encrypted but never passed through Google’s hashing algorithm.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords,” Frey said.