The data has been relatively vulnerable since 2005.
Facebook isn’t the only big tech company found to be storing passwords in plain text. Google has warned G Suite users that an “error” in a password recovery implementation left some of their passwords unhashed on its internal systems since 2005 until that method was discontinued. Other plain passwords had been temporarily stored since January 2019, Google said. All those systems were encrypted, and there was “no evidence” that someone had misused the info, but it still raised the possibility that an intruder could have direct access to logins if they cracked the encryption.
The company isn’t taking any chances despite the lack of known breaches. It’s asking G Suite administrators to change passwords, and it’s automatically resetting passwords for those who do nothing. Consumer Google accounts aren’t affected by the flawed approach.
This, along with incidents at companies like Facebook and Twitter, underscores a mounting problem with internet security: poor security approaches from the past are coming back to haunt companies that have otherwise done a lot to clean up their acts. It stresses the importance of getting security strategies right the first time around. If you don’t, there’s a real possibility of headaches years down the road.