Administrators of some of Google’s five million business accounts got an unwelcome surprise when the company recently notified them it had stored some user passwords in plain text since 2005.
Usually, before storing passwords with usernames, tech companies scramble passwords so they can only be read with an encryption “key.” Even if someone finds a password and log-in pair on Google’s internal servers, they won’t be able to read the password without that key.
But Google made a mistake when it first built its email-for-business product, G Suite, 14 years ago. The tool that allowed managers to manually set passwords for employees failed to encrypt new passwords before storing them, according to a post on the Google blog from earlier today.
“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” the blog post said.
It’s been a rough week for Google’s security team. On Monday, a large number of users (including employees at the Bay Area News Group) mistakenly received a notification that a new device had signed into their account, scaring a lot of people into thinking their accounts were being hacked. It’s unclear whether the two issues are related.
Should all this news push you to bulk up your online security, Google researchers published some good tips last week for protecting your account, even if someone gets your passwords.