As an overview, Google’s core sign-in system is not aware of the actual characters that make up your password. Rather, it remembers and associates a hash function — 72i32hedgqw23328 versus GoTFinaleWasOnlyOk789 — with your account username.
Both are then also encrypted before being saved to disk. The next time you try to sign in, we again scramble your password the same way. If it matches the stored string then you must have typed the correct password, so your sign-in can proceed.
For G Suite enterprise accounts, Google previously offered IT administrators tools to create and recover employee passwords. The fault lies with the latter, since deprecated, utility:
We made an error when implementing this functionality back in 2005: The admin console stored a copy of the unhashed password. This practice did not live up to our standards.
For over a decade, some passwords were stored as readable plaintext. Google notes that these passwords never left its secure encrypted infrastructure, and that there’s no evidence of “improper access to or misuse of the affected passwords.”
Google today also detailed a second issue related to the G Suite customer sign-up flow. Starting in January 2019, a “subset” of unhashed passwords were stored for a maximum of 14 days.
This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords. We will continue with our security audits to ensure this is an isolated incident.
In response, Google today emailed G Suite admins a list of impacted users that should set a new password. Next week, Google will reset accounts that have not done so themselves.