Google plain text password incident has minimal U-M impact

The information below was sent via email to the IT Security Community and Frontline Notify groups on May 22, 2019.

Google announced yesterday that it stored the passwords of some G Suite users in plain text format in its administrative console. U-M is a G Suite user, and Google has informed the university that a very small number of U-M accounts were affected. Personal GMail accounts are not affected.

What Happened at Google

A bug in G Suite's password recovery feature for administrators caused some passwords to be stored in plain text format in the infrastructure of a control panel called the admin console. This bug has existed since 2005. Google has now disabled the features that contained the bug. The affected passwords would only have been available to Google employees, and Google says there is no evidence that the plain text passwords were ever accessed or abused.

Impact at U-M

Google has identified fewer than 20 shared accounts and fewer than 10 individual accounts at U-M affected by the plain text password issue. Information Assurance (IA) will:

• Contact the owners of the shared U-M Google accounts directly and ensure that the passwords for those accounts are changed.
• Ensure that the passwords of the individual U-M Google accounts (all of which were unused) are scrambled.