Flipboard Database Hacked — Users’ Account Information Exposed

flipboard data breach hacking

Flipboard, a popular social sharing and news aggregator service used by over 150 million people, has disclosed that its databases containing account information of certain users have been hacked.

According to a public note published yesterday by the company, unknown hackers managed to gain unauthorized access to its systems for nearly 10 months—between June 2, 2018, and March 23, 2019, and then again on April 21-22, 2019.

The hackers then potentially downloaded database containing Flipboard users’ real name, usernames, cryptographically (salted hash) protected passwords and email addresses, including digital tokens for users who linked their Flipboard account to a third-party social media service.

According to a breach notification email sent out to affected users and seen by The Hacker News, the company has now reset passwords for all users as a precautionary measure, forcing users to create a new strong password for their accounts.

“You can continue to use Flipboard on devices from which you are already logged in. When you access your Flipboard account from a new device or the next time you log into Flipboard after logging out of your account, you will be asked to create a new password,” the company said.

Flipboard also said it had not seen unauthorized access to any third-party account and still in the process of determining the total number of affected users.

The company has also decided to replace or delete all digital tokens, making them no longer valid and therefore cannot be misused.

“We have not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, we have replaced or deleted all digital tokens,” the post read.

“If you connected your Flipboard account to a third-party account to see its content, you may notice in some cases that you need to reconnect it.”

“Notably, Flipboard does not collect from users, and this incident did not involve, government-issued IDs (such as Social Security numbers or driver’s license numbers), or payment card, bank account, or other financial information.”

The company did not disclose the total number of users affected by the breach but said next time when you log into your Flipboard account you are required to update the password for your account.

Also, if you are making use of the same username and password combination as of Flipboard for any other online service, you are recommended to change your password there as well.

The company has notified law enforcement about the incident and is still investigating to know how hackers managed to gain access to their systems in the first place or what vulnerabilities they exploited.

Top 5 Last-Minute Memorial Day Deals at THN Store → Get 60% Extra OFF

memorial day deals 2019

Memorial Day has come and gone, but you still have time to land some of the best deals on some of the best apps and tech training bundles around.

Whether you’re looking for a world-class VPN or want to begin a career as a high-paid ethical hacker or IT pro, this list of ultra-discounted apps and course bundles has you covered.

Ethical Hacking

MSRP: $1273 – Sale Price: $39 — Memorial Day Sale Price: $15.60 with coupon code WEEKEND60

Although it may sound counterintuitive, the only person who can stop a hacker is another hacker. Known as ethical or “white hat” hackers, these intrepid cyber warriors are in high-demand throughout countless industries, and this training will teach you how to join their ranks through 8 courses and over 45 hours of instruction.

CompTIA Certification Training

MSRP: $3433 – Sale Price: $69 — Memorial Day Sale Price: $27.60 with coupon code WEEKEND60

There’s never been a better time to work in IT, and this 12-course training bundle will help you earn some of the most important certifications in the field—through instruction that teaches you how to install, maintain, and troubleshoot a wide variety of server infrastructures.

Become an Ethical Hacker

MSRP: $681 – Sale Price: $39.99 — Memorial Day Sale Price: $15 with coupon code WEEKEND60

If you want to fast-track your career as a certified ethical hacker, look no further than this 9-course bundle, which will teach you how to do everything from penetration testing to threat retaliation and beyond—all through courses that utilize real-world examples.

Private Internet Access VPN

MSRP: $358 – Sale Price: $79.99 — Memorial Day Sale Price: $60 with coupon code WEEKEND25

The only thing stopping hackers from obtaining everything from your browsing history to your banking information is a VPN, and unlike most VPNs that can slow you down, Private Internet Access VPN lets you browse securely without inhibiting your bandwidth.

AWS Certified Architect Developer

MSRP: $984 – Sale Price: $25 — Memorial Day Sale Price: $10 with coupon code WEEKEND60

AWS architects are in increasingly high demand throughout countless industries, and this 7-course training bundle will teach you how to earn the top AWS certifications around—through courses that teach you everything from the fundamentals to the most advanced elements of this powerful platform.

Like these deals? Check out Vault — you’ll get four premium tools, including NordVPN and Dashlane, to supercharge your online security. Enter code VAULTONE to try it out for just $1!

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

hacking servers

Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.

Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.

Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.

In the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

“Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.”

The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoin cryptocurrency.

Besides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence.

“We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology.”

Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts.

Nearly 1 Million Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw

BlueKeep RDP vulnerability

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.

If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems.

The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device’s Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.

Describing the BlueKeep vulnerability as being Wormable that could allow malware to propagate to vulnerable systems just like WannaCry, Microsoft released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.

However, the latest Internet scan performed by Robert Graham, head of offensive security research firm Errata Security, revealed that, unfortunately, roughly 950,000 publicly accessible machines on the Internet are vulnerable to the BlueKeep bug.

This clearly means that even after the security patch is out, not every user and organisation has deployed it to address the issue, posing a massive risk to individuals and organizations, including industrial and healthcare environments.

Graham used “rdpscan,” a quick scanning tool he built on top of his masscan port scanner that can scan the entire Internet for systems still vulnerable to the BlueKeep vulnerability, and found a whole 7 million systems that were listening on port 3389, of which around 1 million systems are still vulnerable.

“Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines,” the researcher says.

“That means when the worm hits, it’ll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry, and notPetya from 2017 — potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.”

The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.

Not just researchers, malicious hackers and cybercriminals have also started scanning the Internet for vulnerable Windows systems to target them with malware, GreyNoise Intelligence said.

“GreyNoise is observing sweeping tests for systems vulnerable to the RDP “BlueKeep” (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor,” the tweet says.

However, fortunately, so far no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.

Are you still waiting for me to tell you what you should do next? Go and fix the goddamn vulnerability if you are using one of them.

If fixing the flaw in your organisation is not possible anytime sooner, then you can take these mitigations:

  • Disable RDP services, if not required.
  • Block port 3389 using a firewall or make it accessible only over a private VPN.
  • Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.

U.S. Charges WikiLeaks’ Julian Assange With Violating Espionage Act

wikileaks Julian Assange Espionage Act

The United States Justice Department has unveiled charges against WikiLeaks founder Julian Assange with 17 new counts on the alleged violation of the Espionage Act by publishing classified information through WikiLeaks website.

If convicted for all counts, Assange could face a maximum sentence of 175 years in U.S. prison for his “alleged role in one of the largest compromises of classified information in the history of the United States.”

Assange was arrested last month in London after Ecuador abruptly withdrew his asylum and later sentenced to 50 weeks in U.K. prison for breaching his bail conditions in 2012.

The 47-year-old is currently facing extradition to the United States for his role in publishing thousands of classified diplomatic and military documents on WikiLeaks in 2010 that embarrassed the U.S. governments across the world.

Though the previous indictment charged Assange with just one count of helping former Army intelligence analyst Chelsea Manning crack the password, the latest 18-count indictment accuses him of receiving and unlawfully publishing U.S. military and diplomatic documents over a dozen times, which is a violation of the old 1917 the Espionage Act.

Until now, the DoJ has only prosecuted and charged government officials who leak classified information to the media or public, but this is the first time when the 102-year-old, First World War-era Espionage Act has been used against a journalist.

The Espionage Act forbids the disclosure of national defense information that could be used against the United States or to the advantage of any foreign nation.

“Assange then published on WikiLeaks classified documents that contained the unredacted names of human sources who provided information to United States forces in Iraq and Afghanistan, and to U.S. State Department diplomats around the world,” Justice Department says.

“These human sources included local Afghans and Iraqis, journalists, religious leaders, human rights advocates, and political dissidents from repressive regimes.”

The indictment also says that Assange had “repeatedly encouraged sources with access to classified information to steal and provide it to Wikileaks to disclose.”

“Assange’s actions risked serious harm to United States national security to the benefit of our adversaries and put the unredacted named human sources at a grave and imminent risk of serious physical harm and/or arbitrary detention,” DoJ says.

In response to the latest indictment, WikiLeaks posted a statement on Twitter calling the prosecution “madness” and “the end of national security journalism and the First Amendment,” which guarantees free speech.

Update: Hacker Disclosed 4 New Microsoft Zero-Day Exploits in Last 24 Hours

microsoft windows zero-day vulnerability

Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10, the anonymous hacker going by online alias “SandboxEscaper” has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities.

The two new zero-day vulnerabilities affect Microsoft’s Windows Error Reporting service and Internet Explorer 11.

Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released.

AngryPolarBearBug2 Windows Bug

One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object.

Upon successful exploitation, an attacker can delete or edit any Windows file, including system executables, which otherwise only a privileged user can do.

Dubbed AngryPolarBearBug2 by the hacker, the vulnerability is a successor to a previous Windows Error Reporting service vulnerability she found late last year, which was named AngryPolarBearBug and allowed a local, unprivileged attacker to overwrite any chosen file on the system.

However, as SandboxEscaper says, this vulnerability is not very easy to exploit, and it “can take upwards of 15 minutes for the bug to trigger.”

“I guess a more determined attacker might be able to make it more reliable,” the hacker said. “It is just an insanely small window in which we can win our race; I wasn’t even sure if I could ever exploit it at all.”

Internet Explorer 11 Sandbox Bypass

The second Microsoft zero-day vulnerability revealed today by SandboxEscaper affects Microsoft’s web browser, Internet Explorer 11 (IE11).

Though the exploit note doesn’t contain any detail about this flaw, a video demonstration released by the hacker shows the vulnerability exists due to an error when the vulnerable browser handles a maliciously crafted DLL file.

This would eventually allow an attacker to bypass IE Protected Mode sandbox and execute arbitrary code with Medium integrity permissions.

Though all three unpatched zero-day vulnerabilities SandboxEscaper released within last 24-hours are not critical, user can expect security updates from Microsoft on 11 June, the company’s next month patch Tuesday.

SandboxEscaper has a history of releasing fully functional zero-day vulnerabilities in Windows operating system. Last August, she debuted another Windows Task Scheduler vulnerability on Twitter, which hackers quickly started exploiting in the wild in a spy campaign after disclosure.

Later in October, 2018, the hacker released an exploit for a then zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll), which she dubbed “Deletebug.” In December, 2018, she released two more zero-day vulnerabilities in Windows operating system.

You can expect two more Microsoft zero-day vulnerabilities from SandboxEscaper in the coming days, as she promised to release them.

Important Update — Two More 0-Day Exploited Published

Gal De Leon, Principal security researcher at Palo Alto Networks, in a Tweet revealed that the AngryPolarBearBug2 bug is not a zero day; instead, it has already been patched, identified as CVE-2019-0863, by Microsoft in May 2019 Patch Tuesday security updates.

However, SandboxEscaper has just released PoC exploits for two more new unpatched zero-day vulnerabilities in Microsoft Windows, making the zero-day disclosure to a total of 4 in the past 24 hours.

The first exploit bypasses the patch Microsoft released for an elevation of privilege vulnerability (CVE-2019-0841) in Windows that existed when Windows AppX Deployment Service (AppXSVC) improperly handles hard links.

Another repository on GitHub has been labeled as a new “Installer Bypass” issue by SandboxEscaper.

Though the hacker has released video demonstration for both new flaws as well, security researchers have yet to confirm the claims.

Tor Browser for Android — First Official App Released On Play Store

tor browser for android apk download

Wohooo! Great news for privacy-focused users.

Tor Browser, the most popular privacy-focused browser, for Android is finally out of beta, and the first stable version has now arrived on Google Play Store for anyone to download.

The Tor Project announced Tuesday the first official stable release of its ultra-secure internet browser for Android devices, Tor Browser 8.5—which you can now download for FREE on your mobile devices from Google Play Store.

Tor Browser is mostly used by privacy-focused people, activists, journalists, and even cyber criminal gangs to avoid government monitoring. It allows users to browse the Internet anonymously, by hiding their IP addresses and identity, through a network of encrypted servers that bounce their web requests around multiple intermediate links.

Access to Tor anonymity network was previously available on Android mobile operating system only through other apps or browsers like Orbot/Orfox app, but you can now use the official Tor Browser built on Firefox on your mobile device.

The first alpha build of Tor Browser was released by the Tor Project back in September last year, and since then, the developers have worked hard to provide the same protections users get on the desktop variant to the Android platform as well.

“Mobile browsing is increasing around the world, and in some parts, it is commonly the only way people access the internet,” the Tor Project wrote in a blog post. “In these same areas, there is often heavy surveillance and censorship online, so we made it a priority to reach these users.”

According to the Tor Project developers, Tor Browser for Android is not as complete as its desktop version, but you can see security features like no proxy bypass, enabled first-party isolation to block cross-site tracking and other anti-fingerprinting defenses.

“While there are still feature gaps between the desktop and Android Tor Browser, we are confident that Tor Browser for Android provides essentially the same protections that can be found on desktop platforms,” the Tor Project said.

In the notification area of your Android device, Tor Browser gives a quick, “New Identity” button that allows you to immediately clean the instance of your Tor network, with various caches and other information, without reopening the app or restarting the Tor onion network.

Besides the Android release, the Tor Project also announced the release of a couple of new features in the latest Tor Browser version, like extra tabs, new logos, and user interface improvements.

The company also said the Tor browser would continue to be missing from the iOS platform, as Apple continues to restrict all third-party browsers and forces browser companies to use its own engine. However, iPhone and iPad users can still use Onion Browser to access the Tor network.

5 Cybersecurity Tools Every Business Needs to Know

best cyber security tools

Cybersecurity experts all echo the same thing – cyber attacks are going to get more rampant, and they will continue to pose severe threats against all technology users.

Businesses, in particular, have become prime targets for cybercriminals due to the nature of data and information they process and store.

2018 saw a slew of data breaches targeting large enterprises that resulted in the theft of the personal and financial records of millions of customers.

Falling victim to cyber attacks can deal with a major financial blow to businesses as the cost of dealing with an attack has risen to $1.1 million on the average. It can even be more devastating for small to medium-sized businesses.

60 percent of these smaller operations close within six months after failing to recover from cyber attacks. But aside from these monetary costs, companies can also lose credibility and their customers’ confidence.

Needless to say, businesses must improve the protection of their infrastructures and networks against cyber attacks.

Fortunately, the cybersecurity space has been continually working on developments to keep pace with evolving threats. Here are five tools that businesses should consider adding to their arsenal to boost their defenses.

Log Analysis — XpoLog

XpoLog Log Analysis Software

Companies must know what is exactly happening within their infrastructures. Fortunately, computers and digital devices have logging mechanisms built in that record most, if not all, computing processes that transpire within them. Logs can reveal patterns and trends that can be indicative of a security breach or malware infestation.

However, since log files are essentially dumps of information stored in plain text format, performing log analyses manually can be a painstaking process.

A way to effectively tap into logs is by using a log analysis tool like XpoLog. The solution collects log files from sources such as servers, endpoints, and applications in real-time.

Using artificial intelligence (AI), it then parses and analyzes the information contained in these logs in order to identify alarming patterns. Insights generated from the analysis can readily inform administrators of any problems that warrant attention.

Application and Data Protection — Imperva

Imperva Application Data Protection

Attackers are constantly probing infrastructures, so it’s critical to have mechanisms that immediately prevent malicious traffic from accessing key network resources such as web applications and databases.

This can be done through the use of web application firewalls (WAFs) and data protection services.

Imperva has been a leading name in WAF and distributed denial-of-service (DDoS) attack mitigation. Most organizations now maintain hybrid infrastructures consisting of on-premises devices and cloud components such as instances, storage, and data warehouses.

Imperva’s WAF can be deployed to protect these resources. It profiles traffic and transactions conducted and prevents malicious traffic and actions from accessing these components.

Penetration Testing — Metasploit

metasploit framework

Integrating security tools into the infrastructure is one thing; checking if they actually work is another.

Companies shouldn’t wait for actual cyber attacks to happen to find out if their solutions are properly implemented. They can be proactive about and test their defenses themselves.

Administrators can perform penetration testing by using frameworks such as Metasploit. It’s an open source tool that can be configured to scan for exploits and even deploy a payload to vulnerable systems.

Metasploit also features select evasion tools that could potentially circumvent existing security measures. It can be used on Windows, Linux, and Mac OS X systems.

Discovering gaps in security gives companies a chance to remedy these issues before an actual attack actually strikes.

Anti-Phishing — Hoxhunt

Hoxhunt Anti-Phishing Software

The human element continues to be the biggest vulnerability in a company’s cybersecurity chain.

Over 90 percent of security breaches are found to be caused by human error. This is why cybercriminals still actively employ social engineering attacks such as phishing to try and compromise infrastructures.

Such attacks trick users into giving up their credentials or installing malware into their systems.

HoxHunt addresses this by teaching users how to check if an email is a phishing message or if a website is malicious.

Companies can train users using simulated phishing attacks. Hoxhunt’s AI-driven engine even personalizes these attacks to copy how real-world attacks look like.

Users can report these attacks through a special plugin, and they get immediate feedback on how well they’ve performed.

Fraud Detection — Riskified

Riskified Fraud Detection Software

Not all attacks seek to breach and steal information from companies. Businesses also have to be wary of fraud attacks.

Hackers and fraudsters now have access to millions of valid personal and financial information from previous data breaches that they can easily manipulate business’ e-commerce channels, costing merchants billions of dollars globally.

Solutions like Riskified offer comprehensive means to prevent online fraud throughout the course of an online transaction.

Riskified uses machine learning to analyze each transaction and only allows legitimate orders to be processed. It also provides a dynamic checkout feature that automatically adjusts based on a customer’s risk profile, providing various means for customers to verify their purchases.

For instance, a customer with a higher risk profile may be asked to perform additional verification steps without denying transactions outright.

Investments Required

An effective cybersecurity strategy demands that businesses cover all possible areas that can be exploited by attackers. This requires adopting a comprehensive set of tools and solutions that would keep their infrastructures secure. Implementing and integrating these solutions do require spending.

But considering the costs that falling victim to cyberattacks bring, it’s only prudent to make these investments. It’s simply the reality of doing business in this highly digital landscape.

PoC Exploit For Unpatched Windows 10 Zero-Day Flaw Published Online

windows zero day vulnerability

An anonymous hacker with an online alias “SandboxEscaper” today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that’s his/her 5th publicly disclosed Windows zero-day exploit [1, 2, 3] in less than a year.

Published on GitHub, the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine.

The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals.

SandboxEscaper’s exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn’t properly check for permissions and can, therefore, be used to set an arbitrary DACL (discretionary access control list) permission.

“This will result in a call to the following RPC “_SchRpcRegisterTask,” which is exposed by the task scheduler service,” SandboxEscaper said.

A malicious program or a low-privileged attacker can run a malformed .job file to obtain SYSTEM privileges, eventually allowing the attacker to gain full access to the targeted system.

SandboxEscaper also shared a proof-of-concept video showing the new Windows zero-day exploit in action.

The vulnerability has been tested and confirmed to be successfully working on a fully patched and updated version of Windows 10, 32-bit and 64-bit, as well as Windows Server 2016 and 2019.

More Windows Zero-Day Exploits to Come

Besides this, the hacker also teased that he/she still has 4 more undisclosed zero-day bugs in Windows, three of which leads to local privilege escalation and fourth one lets attackers bypass sandbox security.

The details and exploit code for the new Windows zero-day came just a week after Microsoft monthly patch updates, which means no patch exists for this vulnerability at the current, allowing anyone to exploit and abuse.

Windows 10 users need to wait for a security fix for this vulnerability until Microsoft’s next month security updates—unless the company comes up with an emergency update.

Google Stored G Suite Users’ Passwords in Plain-Text for 14 Years

google g suite plaintext password

After Facebook and Twitter, Google becomes the latest technology giant to have accidentally stored its users’ passwords unprotected in plaintext on its servers—meaning any Google employee who has access to the servers could have read them.

In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery feature.

G Suite, formerly known as Google Apps, is a collection of cloud computing, productivity, and collaboration tools that have been designed for corporate users with email hosting for their businesses.

It’s basically a business version of everything Google offers.

The flaw, which has now been patched, resided in the password recovery mechanism for G Suite customers that allows enterprise administrators to upload or manually set passwords for any user of their domain without actually knowing their previous passwords in order to help businesses with on-boarding employees and for account recovery.

If the admins did reset, the admin console would store a copy of those passwords in plain text instead of encrypting them, Google revealed.

“We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password,” Google says.

However, Google also says that the plain text passwords were stored not on the open Internet but on its own secure encrypted servers and that the company found no evidence of anyone’s password being improperly accessed.

“This practice did not live up to our standards. To be clear, these passwords remained in our secure encrypted infrastructure,” Google says. “This issue has been fixed, and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google also clarifies that the bug was restricted to users of its G Suite apps for businesses and that no free version of Google accounts like Gmail were affected.

Though the company did not disclose how many users might have been affected by this bug beyond just saying the issue affected “a subset of our enterprise G Suite customers,” with more than 5 million G Suite enterprise customers, the bug could affect a large number of users — presumably any user who used G Suite in last 14 years.

In order to address the issue, Google has since removed the capability from G Suite administrators and emailed them a list of impacted users, asking them to ensure that those users reset their passwords.

Google says the company would be automatically resetting passwords for those users who do not change their passwords.

“Out of an abundance of caution, we’ll reset accounts that have not done so themselves,” the tech giant says.

Google is the latest tech company to accidentally store unhashed passwords on its internal servers. Recently, Facebook was in the news for storing plaintext passwords for hundreds of millions of its users, both Instagram and Facebook, on its internal servers.

Almost a year ago, Twitter also reported a similar security bug that unintentionally exposed passwords for its 330 million users in readable text on its internal computer system.