Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext. The exact number was not disclosed. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.
Slashdot reader pegdhcp appears to be one of the users impacted by this security lapse: I am sharing a message that I received from G Suite, redacted. They are having some serious problem… If you missed the message or somehow tend to ignore sometimes extremely frequent and unnecessary G Suite messages like I do, this one can be important depending on your settings.
[You can read the full email message (with redactions) below:]
Dear G Suite Administrator,
We are writing to inform you that due to legacy functionality that enabled customer Domain Admins to view passwords, some of your users’ passwords were stored in our encrypted systems in an unhashed format. This primarily impacted system generated or admin generated passwords intended for one-time use.
We have reviewed the login information for the user account(s) and have found no evidence that the unhashed passwords were misused.
The following is the list of users impacted in your domain(s):
Google Planned Action: for your security, starting tomorrow Wednesday May 22, 2019 PT we will force a password change unless it has already been changed prior to that time.
Our password update methodology is as follows:
Users With Single Sign On: We will reset their password by changing it to a randomly generated secure value. Please note that this will have no effect on their ability to log in using their Single Sign On credentials.
Other Users and Super Admins: We will terminate their sessions and prompt users to change their password at their next login.
In addition, starting Wednesday, May 29, 2019 PT we will reset the password for users that have not yet selected a new password or have not had a password reset. These users will need to follow your organization’s password recovery process. Super Admins will not be impacted. For information on password recovery options please refer to the following Help Center Article.
For further questions please contact Google Support and reference issue number XXXXXXXX.
The G Suite Team