If you missed the news yesterday Google has announced that over a 14-year period, some G Suite passwords were stored in plaintext. Google’s VP of Engineering, Suzanne Frey, had the following comment “To be clear, these passwords remained in our secure encrypted infrastructure. This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.” Of note, Google consumer accounts were not affected by this latest security incident.
We should, however, not assume that someone has not accessed these passwords sometime in the past 14 years. The chances are actually pretty good that someone has had access to this information at some point. Google is now taking the appropriate steps and resetting every account password that has been caught up in this security incident. Users will be sent an email letting them know that their account has been reset and that they need to login to create a new password. I give kudos to Google for taking this action. I believe that after any account breach or incident that the organization has an obligation to protect their customers and take the necessary steps to keep anyone from hijacking an account.
Something that users of G Suite should be on the lookout for are an uptick in phishing attacks. Peering into my crystal ball I can see a large number of phishing attacks being created and targeting users trying to get them to “reset” their G Suite accounts. If you are a G Suite administrator, I would make it a point to educate employees as quickly as possible about the current incident and make them aware of the potential for targeted phishing campaigns.
This is also a good time to remind everyone the importance of using MFA/2FA or what Google refers to as 2SV (2-step verification). Today, we should just assume that for any site that we have credentials for that those credentials will be known to others at some point. If any site offers MFA/2FA you need to make it a priority to configure and enable it. G Suite offers multiple forms of 2SV. I urge you to make it a priority to get this in production for your G Suite domain. I’ve include a link to the Google Support page for 2SV Here.
Finally, no Cerdant didn’t know this was coming. In 2017, 4 days after our annual security conference WannaCry was released which affected over 300,000 machines in just days. Now, in 2019, 5 days after our annual security conference we bring you the news of the Google G Suite password security incident. Coincidence? Ha, yes that is all it is my friends, but I will say it is somewhat eerie.
As always if you need assistance or just want to run some questions by us please don’t hesitate to reach out. We are here for you and will help however we can.