A massive security breach exposed the private data of over 500,000 of Google Plus users to third-party developers.
Due to the data exposure, Google is going to shut down the social media network Google+.
What caused the data breach is a security vulnerability that affected one of Google+ People APIs letting third-party developers access the data of more than 500,000 users.
The exposed data included usernames, email addresses, date of birth, profile photos, occupation, and gender-related information.
However, what worried users most is the fact that despite registering the issue in the spring, Google didn’t disclose the flaw in the Google+ due to its fear of reputational damage.
“Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.” the Wall Street Journal wrote.
“As part of its response to the incident, the Alphabet Inc. unit on Monday announced a sweeping set of data privacy measures that include permanently shutting down all consumer functionality of Google+.”
The company stated that its experts addressed the flaw in March 2018 and they found no evidence that any developers have exploited the flaw to access users data. The vulnerability was present in the Google+ People APIs since 2015.
“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.” Google wrote in a blog post.
“We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.”
Most probably, the company’s decision of not disclosing the vulnerability was influenced by the Cambridge Analytica scandal which occurred at the same time.
“A memo reviewed by the Journal prepared by Google’s legal and policy staff and shared with senior executives warned that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.” the WSJ reads.
According to security experts, the vulnerability in Google+ is similar to the one recently discovered in Facebook API.
Google reported they would maintain Google+ only for Enterprise users in August 2019.