Google announced in a blog post that they had stored a number of users’ passwords in plain text for about 14 years. The good news is that Google found no signs of a breach or misuse.
When Google stores passwords, they go through a process called “hashing.” Hashing scrambles a password so that if someone were to get the scrambled version, they would have no idea what your actual password might be. The passwords in question were not hashed and were instead left in plain text.
Google did not clarify how many user passwords were unprotected.
“We take the security of our enterprise customers extremely seriously, and pride ourselves in advancing the industry’s best practices for account security,” wrote Suzanne Frey, vice president of engineering at Google. “Here we did not live up to our own standards, nor those of our customers. We apologize to our users and will do better.”
How did this happen?
Back in 2005, Google made an error when creating their new password system. Google ended up fine-tuning their hashing system, and those passwords ended up making it to their hashing system. However, the error persisted.
While troubleshooting G Suite customer sign-up flows, Google discovered that the error was still there. A subset of some unhashed passwords remained in Google’s system for a maximum of two weeks at a time. Google has removed the error.
Should I be worried?
Short answer: not really.
Google did not suffer a breach that led to your password getting stolen by a hacker. The company was careless in how it protected some of the passwords, but they have rectified the problem.