Google Fixes Two G Suite Enterprise Password Issues

Google has disclosed and fixed two G Suite enterprise account password issues.

The first issue involved a feature flaw introduced back in 2005. The second involved and issue that surfaced in January 2019. In both cases, it sounds like the company only recently discovered and mitigated the issues.

Referring to the issue that dates back to 2005, Google said:

"The admin console stored a copy of the unhashed password. This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords."

Google VP Suzanne Frey
Google VP Suzanne Frey

In a separate issue, Google discovered a flaw that began in January 2019. The flaw, the company says:

"inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure. These passwords were stored for a maximum of 14 days. This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident."

The company has notified G Suite administrators to change impacted passwords. And out of an abundance of caution, the company will reset accounts that have not done so themselves, according to Suzanne Frey, VP of engineering for Google Cloud Trust.

Google G Suite Password Issue: Context Matters

No doubt, the security issues warrant concern and close scrutiny by Google G Suite enterprise account administrators and MSPs that maintain such accounts for customers.

However, some media reports about the issues appear overblown -- and some have confused Google's enterprise applications (which suffered the issues) with the company's consumer options (which did not suffer from the issues).

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.