What actually happened?
On May 22nd, 2019, Google notified G Suite users that they had made an error implementing password storage back in 2005. Usually, passwords are hashed (encrypted), which means that they are scrambled and saved on Google’s servers as random characters. The company then cannot see your actual password or unscramble it, even if you forget it. However, if you enter the correct password, it will match the scrambled version, allowing you to access your account.
G Suite account administrators were permitted to change and recover their users’ passwords. Google did this to help administrators with the on-boarding process for new employees. However, the system stored these passwords in plain text. Not only could administrators see them, Google employees could see them too. We hope nobody chose “MyBossSucks123” as their password!
Google noticed this bug in May of 2019, 14 years later, and has now patched it. The company stated:
“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”
Why is this a problem?
Google’s business model is based on providing free service in exchange for your data (You can see exactly how much data it collects by going to your settings. It might surprise you!). Google claims to be privacy-friendly and even goes to the lengths of criticizing their competitors by saying that ‘online privacy shouldn’t be a luxury.’
Google has been caught many times before violating your privacy: secretly scanning your emails, allowing third parties to read them, tracking your location even when you told them not to, using face recognition and scanning your photos – the list goes on. They also make it pretty difficult for you to delete the data they gathered about you while also trying to convince that it’s safe to use Google services.
Given how much data they have and the countless ways this data could be used and abused against individuals, businesses and societies, one must hope that Google makes security a priority. This case, however, proves once again that security is not their number-one priority.
They say that if you don’t pay for it, you are the product, and that’s true in most cases – especially in Google and Facebook’s. But what about users who do pay for the service, like the G Suite account holders whose passwords were stored insecurely? What chance does the average user have if they don’t pay a dime and all they can give is their data? Can they really trust Google?
What should I do now?
Google claims to have already emailed G Suite account holders whose accounts were affected and notified them about which passwords weren’t secured. If you use other Google services and you’re worried about your privacy, we suggest:
- Using strong passwords and keeping them in secure on password managers;
- Limiting the amount of data you create and give to tech giants. The less they have, the less they can leak;
- Not putting all your eggs in one basket. Instead, use privacy-oriented Google alternatives. They don’t collect your data from multiple platforms to create your user profile;
- Keeping an eye on cybersecurity news by subscribing to our free monthly newsletter.