It has suddenly come to light that Google’s G Suite customers were left exposed to a potential risk since their passwords were in plain text instead of being encrypted as is the norm. Google has now issued an apology to the users. The worst part is that the passwords were in that plain text form for all of 10 years. The only saving grace is that Google claims they have found that these passwords remained secure and there have been no breaches.
The company will now go back to the G Suite users and ask them to reset their passwords. Google says the users whose passwords were not encrypted due to an oversight are all enterprise customers and no individual accounts; Google calls them ‘free consumer Google accounts’, figure in the list.
The terse apology simply says, "We apologise to our users and will do better".
Explaining how this works, an executive with Google says, the moment you choose a unique user ID and give a password, they are stored in an encrypted form on the servers. The next time you login, a match is done with the user ID and password combination you have entered with that stored on Google servers and you are taken to the appropriate landing page. In the case of G Suite, the encryption of the passwords was not done and they remained as inputted by the customers at their end. The risk with this is if anyone were to get access to the data where it is stored, then all these passwords can be read and copied and could have been misused even. The fact that Google says no damage was done and no intrusion took place has to be taken at face value. You or any other customer, if you have been a G Suite user, have no way of verifying it independently.
Many experts advise frequent changing of passwords to increase the levels of protection you enjoy and minimise the chances of it being misused. Users however are generally lazy to do it since they tend to forget the passwords they last entered and stick to the one they created for months and years.
There have been similar incidents with Twitter and Facebook too.