Google has revealed it had left some business users’ passwords exposed in plain text.
In a blog post on Tuesday, the tech giant said it had discovered the issue in Google’s popular enterprise product, G Suite, back in January.
When stored in a system, passwords are cryptographically hashed — scrambled into a random-looking assortment of numbers — which make it near-impossible to try and guess what it is.
The bug, which had existed since 2005, stored an unhashed, plain text copy of the password in G Suite’s administration console. The console had allowed administrators to reset a password for a user, in case they forgot it, but Google said the function no longer exists.
“This practice did not live up to our standards,” Suzanne Frey, Google’s VP of engineering, Cloud trust, said in the blog post.
“To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Google didn’t reveal how many users were impacted by the bug, but the issue only affects users of G Suite, and does not impact people who use Google’s free consumer accounts.
The company said it has contacted G Suite administrators to change those impacted passwords, and has reset passwords for those users who have not done so already.
While Google’s security issue arguably pales in comparison, it comes after millions of passwords were discovered stored in plain text by Facebook back in March.