Google Apologizes for Chrome Password Manager Bug Affecting 15 Million Users, Fixes Disruption and Email Verification Issue

Google has issued an apology following a significant bug that prevented a substantial number of Windows users from accessing or saving their passwords. The issue began on July 24 and lasted for nearly 18 hours until it was resolved on July 25. Google attributed the problem to “a change in product behavior without proper feature guard,” a situation that echoes recent issues faced by users during the CrowdStrike disruption earlier this month.

The bug affected users of the Chrome web browser globally, rendering previously saved passwords and newly stored passwords invisible to those using the Chrome password manager. Google has since addressed and fixed the problem, noting that it was confined to the M127 version of Chrome on the Windows platform.

Determining the exact number of users impacted by the issue is challenging. However, with over 3 billion Chrome users worldwide and Windows users constituting the majority, estimates suggest that around 25% of users experienced the configuration change, amounting to approximately 750 million users. Google estimated that about 2% of these users were affected by the password manager issue, which translates to roughly 15 million users experiencing the problem.

The disruption has now been resolved. Initially, Google offered an interim workaround involving a cumbersome process: launching Chrome with the command line flag “ —enable-features=SkipUndecryptablePasswords.” Fortunately, the final fix requires users only to restart their Chrome browser. Google thanked users for their patience, stating, “We apologize for the inconvenience this service disruption/outage may have caused.” Users who experienced issues beyond this should contact Google Workspace Support for assistance.

For those using Google’s Chrome password manager, it can be accessed through the browser’s three-dot menu under Passwords and Autofill, then Google Password Manager. Alternatively, users can install the password manager Chrome app from the settings and access it directly from the Google apps menu. If Chrome prompts for a password autofill, selecting manage passwords will also navigate users to the password manager.

For users interested in switching from a standalone password manager to Google’s offering, though it is generally recommended to use a separate service for added security, the transition is straightforward. First, export your passwords from the existing application as a .CSV file, ensuring the file is correctly formatted with column headers: url, username, and password. Then, go to passwords.google.com in Chrome, select Settings|Import, and upload your password file. Remember to delete the .CSV file from your device and empty the trash to prevent unauthorized access.

While Google’s Chrome password manager is user-friendly, it may not offer the best security compared to dedicated password managers. Using a dedicated service is preferable as it provides additional security features such as two-factor authentication, password generation options, and other safeguards. For instance, I use 1Password, which employs end-to-end encryption for data in transit, 256-bit AES encryption, and secure pseudorandom number generators for encryption keys. The service also incorporates key derivation strengthening and a 128-bit secret key created on the user’s device, not known to 1Password. This secret key, used in conjunction with the master password, protects the vault. Even if an attacker gained physical access, they would need the master password to decrypt stored information. Brute-forcing the 1Password servers would be futile without the secret key, which is only stored on the user’s device.

The Google Chrome password manager can also use on-device encryption if configured. Instructions for setting this up are available, though users should note that once on-device encryption is enabled, it cannot be removed. With this setup, users can unlock their password or passkey using their Google password or the screen lock on compatible devices.

In addition to the password manager issue, Google users have recently faced another security problem. Renowned cybersecurity journalist Brian Krebs reported that email verification issues when creating new Google Workspace accounts also surfaced. This authentication issue, now fixed by Google, allowed malicious actors to bypass email verification, enabling them to impersonate domain holders at third-party services. This breach permitted unauthorized access to third-party accounts, including Dropbox.

The problem appeared to be linked to Google Workspace’s free trials, which offer access to services like Google Docs. Typically, Gmail is accessible only to users who can verify control over the associated domain name. However, attackers managed to circumvent this verification process. Anu Yamunan, Director of Abuse and Safety Protections at Google Workspace, confirmed to Krebs that a few thousand accounts were created without domain verification before the fix was implemented. This fix was applied within 72 hours of the vulnerability being reported. Yamunan explained, “The tactic here was to create a specifically-constructed request by a bad actor to circumvent email verification during the signup process.” None of the compromised domains were previously linked to Workspace accounts or services.