Google stored password in plaintext in logs
Got this email a few minutes ago:
Google Customer Alert
Dear G Suite Administrator,
We are writing to inform you that between January 13, 2019 and May 9, 2019, an internal system that logged account signup information for diagnostic purposes, inadvertently stored one of your user account passwords in our encrypted systems in an unhashed format. This impacted the user account password provided during the initial account signup process. The log information was retained for 14 days following the signup process, and then was deleted according to our normal retention policies.
We have reviewed the login information for the account and have found no evidence that the unhashed password was misused.
The following is the user account impacted in your domain(s):
[redacted]
Google Planned Action: for your security, starting tomorrow Wednesday, May 22, 2019 PT we will force a password change unless it has already been changed prior to that time.
Our password update methodology is as follows:
We will terminate the impacted user’s session and prompt the user to change their password at their next login.
In addition, starting Wednesday, May 29, 2019 PT we will reset the password for the user if they have not yet selected a new password or have not had a password reset. This user will need to follow your organization’s password recovery process. However, Super Admins will not be impacted. For information on password recovery options please refer to the following Help Center Article.
For further questions please contact Google Support and reference issue number [redacted]
Sincerely,
The G Suite Team
Yeah I got that as well. Password hashed / unhashed in logs?? I really do not understand why should passwords be stored in logs or other systems.
Also it does not say it was not misused, simply there is no evidence. we live in interesting times.
I wonder how common this is. Don't many places log usernames? And isn't it extremely common to paste/type a password into the username field?
good