Google is shutting down its social network Google Plus after it emerged that the company had failed to reveal a breach affecting almost 500,000 users. A bug allowed third-party users and developers to access Google+ user profile data since 2015. Google discovered the vulnerability and patched the bug in March, but did not disclose anything to the public or to affected users.

The bug also allowed developers to access users’ and users’ friends’ “private only” data. This data is limited to optional Google+ Profile fields including name, email address, occupation, gender and age.

Key takeaways

  • Google does not know which users and accounts were impacted by the bug, but upto 500,000 Google+ accounts were potentially affected. 438 third-party applications potentially used the API.
  • Google did not find that developers knew of the bug, or evidence of user data being misused.
  • The company is shutting down the consumer side of Google+. Note that 90 percent of sessions lasted less than five seconds. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.”
  • Because Google could not find any evidence pertaining to developer access and misuse, it did not make any disclosure to the public.
  • An internal memo from Google says the company did not disclose the breach to the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal,” reports Wall Street Journal. The memo further says that the disclosure would also invite “immediate regulatory interest.”
  • Google+ will be wound down over the next 10 months.
  • Google will now ask for granular permissions and limit what use apps can access data for; “only apps directly enhancing email functionality—such as email clients, email backup services and productivity services will be authorized to access this [Gmail] data,” says Google’s blog post. Additionally, only apps which users have selected as the default app for making calls or sending text messages will be able request for access to user call logs and SMS data.