Written by James Orme Thu 23 May 2019

The Alphabet subsidiary is the latest tech giant to be caught neglecting basic data protection standards

An unknown number of Google passwords belonging to the company’s enterprise customers have been stored in plain text for 14 years, the tech giant has admitted.

Passwords are usually scrambled in an unreadable format known as hashing, but some of Google’s G Suite business users were informed that a bug resulted in a copy of their passwords being kept unhashed on their servers since 2005.

“We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse of the affected G Suite credentials,” Google’s vice president for engineering Suzanne Frey said.

Google, which has more than five million G Suite customers, said a “subset” of password data was kept on its encrypted internal systems and did not affect any free consumer Google accounts.

It traced back the issue to 2005, when it introduced a new feature allowing domain administrators to set and recover passwords for their company’s users, mainly used to add new employees into the system.

The feature no longer exists.

A second list was also discovered in January, although these passwords are only thought to have been stored for a maximum of 14 days.

“We recently notified G Suite administrators to change those impacted passwords,” Ms Frey added.

“Out of an abundance of caution, we will reset accounts that have not done so themselves.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security.

“Here we did not live up to our own standards, nor those of our customers. We apologise to our users and will do better.”

In March, Facebook revealed that it had accidentally stored millions of user passwords in plain text, including those on Instagram and Facebook Lite.

The Irish Data Protection Commission, the lead supervising authority for Facebook in the EU, consequently launched an inquiry to determine whether Facebook had breached GDPR (General Data Protection Regulation) laws designed to protect people’s data.