The issue has been traced back to 2005 and only affects users of G Suite. It was caused by an error in manually setting and recovering passwords in implementing the antiquated feature.
Outdated feature and error in implementation
G Suite administrators had access to a console which enabled them to set up new user accounts within the company. Typically, passwords were hashed on Google’s infrastructure before they were saved. Hashing is a one-way operation not reversable. When users supply the password, the data is hashed and compared with the results. If a match exists, it means the password is correct and access is granted. In an announcement today, Google engineering vice presidency Suzanne Frey said that the mistake was to save a copy of the password on Google’s systems. The company highlights that despite the slip-up, its encrypted infrastructure remained sensitive information and that there has been no indication of improper access or misuse. The problem has been resolved.
Similar event recently discovered
Google’s notification also reports a second incident in January 2019, when unhappy passwords have been discovered again on its encrypted infrastructure. “We found that since we had solved troubleshooting new G Suite customer login flows, we have inadvertently stored a sub-set of unhashed passwords in our secure encrypted infrastructure since January 2019,” frey said. In this case, the data remained less secure for 14 days. This problem was also solved and there was no evidence of improper access or misuse. Google alerted the administrators of G Suite to change their passwords as a result of the incidents. If this is not done, accounts that have not complied with the request will be reset automatically. “Our authentication systems are operated beyond password with many layers of protection, and we deploy a number of automatic systems that block malicious sign-in attempts, even when the attacker knows the password,” added Frey. A G Suite account offers access to a number of Google services such as Gmail, Docs, and Drive. Both incidents are supposed to give affected customers too much cause for concern. Although unharmed, sensitive data were stored on the encrypted Google infrastructure for an attacker to pass the security layers around him.