Google “inadvertently stored” plain text passwords of G Suite registrations

G Suite users have who have been affected between the dates of January 13th, 2019 and May 9th, 2019 have been contacted to inform them that their passwords have been logged “unhashed” in Google’s “encrypted systems”.

The full email can be found below:

Dear G Suite Administrator,

We are writing to inform you that between January 13, 2019 and May 9, 2019, an internal system that logged account signup information for diagnostic purposes, inadvertently stored one of your user account passwords in our encrypted systems in an unhashed format. This impacted the user account password provided during the initial account signup process. The log information was retained for 14 days following the signup process, and then was deleted according to our normal retention policies.

We have reviewed the login information for the account and have found no evidence that the unhashed password was misused.

The following is the user account impacted in your domain(s):

[my@email.com]

Google Planned Action: for your security, starting tomorrow Wednesday, May 22, 2019 PT we will force a password change unless it has already been changed prior to that time.

Our password update methodology is as follows:

• We will terminate the impacted user’s session and prompt the user to change their password at their next login.
• In addition, starting Wednesday, May 29, 2019 PT we will reset the password for the user if they have not yet selected a new password or have not had a password reset. This user will need to follow your organization’s password recovery process. However, Super Admins will not be impacted. For information on password recovery options please refer to the following Help Center Article.

For further questions please contact Google Support and reference issue number 133116569.

Sincerely,

The G Suite Team