Summarize

Simplifying... Inshort

A bug in Google's Chrome browser, specifically the M127 version on Windows, wiped out passwords for about 15 million users.
Google has since fixed the issue, requiring users to simply restart their browser.
Additionally, a flaw in Google Workspace's email verification process was exploited by bad actors to create unverified accounts, but this has also been addressed and fixed within 72 hours of reporting.

Was a long read? Making it simpler...

Next Article

This issue affected Chrome users globally

Google apologizes after Chrome bug wipes out 15 million passwords

By Akash Pandey

Jul 29, 2024

09:47 am

What's the story

Google has publicly apologized after a bug in its Chrome web browser caused an estimated 15 million Windows users to lose access to their saved passwords. The issue, which started on July 24 and lasted nearly 18 hours, was attributed to "a change in product behavior without proper feature guard," according to Google. This glitch affected Chrome users globally, making it impossible for them to locate any passwords saved via the Chrome password manager and rendering newly saved passwords invisible.

User impact

Bug specific to M127 version of Chrome on Windows

The bug was specific to the M127 version of the Chrome browser on the Windows platform. Google estimated that about 2% of its user base, who saw a configuration change rolled out, were affected by this issue. With over 3 billion Chrome users worldwide, and Windows users forming the majority, this translates to roughly 15 million users who lost their passwords due to this glitch.

Solution provided

A full fix has now been implemented

During the disruption, Google offered a temporary solution that involved launching the Chrome browser with a command line flag of "—enable-features=SkipUndecryptablePasswords." A full fix has now been implemented that simply requires users to restart their Chrome browser. The tech giant expressed gratitude to its users for their patience and apologized for any inconvenience caused by this service outage.

Email verification flaw

Additional user issue reported by cybersecurity expert

Cybersecurity analyst Brian Krebs highlighted another issue affecting Google users. Some discovered that email verification was missing when creating a new Google Workspace account. This flaw enabled bad actors to bypass the email verification process necessary for creating a Google Workspace account, thereby impersonating domain holders at third-party services. The problem appears to have been linked to free trials offered by Google Workspace.

Bug fix

Google addresses email verification bug in Workspace

Anu Yamunan, the director of abuse and safety protections at Google Workspace, informed Krebs that a few thousand non-domain verified accounts had been created before a fix was applied. The solution was implemented within 72 hours of the vulnerability being reported. Yamunan clarified that none of these domains were previously associated with Workspace accounts or services, and the tactic involved a specifically-constructed request by a threat actor to bypass email verification during the signup process.