Google: We’ve been storing some enterprise customer passwords in plaintext since 2005

Google is encouraging enterprise administrators to have users reset their passwords.
Google password
(Thomas Hawk / <a href="">Flickr</a>)

Google has notified an unspecified number of its enterprise customers that their passwords have been stored in plaintext inside the company’s internal encrypted systems due to a technical issue that has existed since 2005.

The issue does not affect free Gmail consumer accounts, but only the enterprise accounts that Google refers to as G Suite. “We have been conducting a thorough investigation and have seen no evidence of improper access to or misuse” of the affected credentials, Suzanne Frey, vice president of engineering in Google’s cloud division, wrote in a blog post Tuesday.

Frey apologized to users for not storing the passwords with cryptographic hashes, which is an industry best practice that prevents the data host from seeing a password in plaintext.

“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” Frey said. “Here we did not live up to our own standards, nor those of our customers.”


Frey said the tech giant erred in setting up the G Suite functionality in 2005 because an administrative console stored a copy of passwords in plaintext. In January 2019, she added, Google found that it had “inadvertently stored a subset of unhashed passwords in our secure encrypted infrastructure” for up to two weeks. Those issues have been fixed, she said.

Google is encouraging enterprise administrators to have users reset their passwords. “Out of an abundance of caution, we will reset accounts that have not done so themselves,” she wrote.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts