NOTICE: Google plain text password incident has minimal U-M impact
The information below was sent via email to the IT Security Community and Frontline Notify groups on May 22, 2019.
Google announced yesterday that it stored the passwords of some G Suite users in plain text format in its administrative console. U-M is a G Suite user, and Google has informed the university that a very small number of U-M accounts were affected. Personal GMail accounts are not affected.
What Happened at Google
A bug in G Suite's password recovery feature for administrators caused some passwords to be stored in plain text format in the infrastructure of a control panel called the admin console. This bug has existed since 2005. Google has now disabled the features that contained the bug. The affected passwords would only have been available to Google employees, and Google says there is no evidence that the plain text passwords were ever accessed or abused.
Impact at U-M
Google has identified fewer than 20 shared accounts and fewer than 10 individual accounts at U-M affected by the plain text password issue. Information Assurance (IA) will:
- Contact the owners of the shared U-M Google accounts directly and ensure that the passwords for those accounts are changed.
- Ensure that the passwords of the individual U-M Google accounts (all of which were unused) are scrambled.
- Google Has Stored Some Passwords in Plaintext Since 2005 (Wired, 5/21/19)
- Notifying administrators about unhashed password storage (Google Cloud Blog, 5/21/19)
- Google stored some passwords in plain text for fourteen years (The Verge, 5/21/19)
- Google says some G Suite user passwords were stored in plaintext since 2005 (Tech Crunch, 5/21/19)
- Google stored some business passwords as plain text (Engadget, 5/21/19)
- Google had some passwords stored in plaintext for more than a decade (CNet, 5/21/19)
- Google says it stored some G Suite passwords in unhashed form for 14 years (ZDNet, 5/21/19)
- Google stored some users' passwords in plain text for years (Mashable, 5/22/19)
- Google Stored G Suite Users' Passwords in Plain-Text for 14 Years (The Hacker News, 5/22/19)
- Google stored some G Suite passwords in unhashed form for 14 years (The Next Web, 5/22/19)