Google exposed the personal data of about 500,000 Google+ users to potential misuse by outside developers for years through a bug, then concealed the error to avoid consequences, according to an investigation published by The Wall Street Journal Monday. The Wall Street Journal reports the company didn't reveal what had happened "in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage".
The data being stolen includes full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.
The US internet giant said it will "sunset" the Google+ social network for consumers that failed to gain meaningful traction after being launched in 2011 as a challenge to Facebook. It also said that it would strengthen Android app permission requirements to give users more fine-grained control over their mobile phone data, and that it would make it harder for apps to access sensitive information, like SMS messages and call records. But for the year, stock in Google's parent company is up 10%.
Google is also updating Gmail's User Data Policy for the consumer version to limit access to user data. It also promises to provide consumers with more information, including options for downloading and migrating data, over the coming months.
In a statement to BleepingComputer, a Google Spokesperson said that their Privacy & Data Protection Office felt it was not necessary to disclose as it did not meet the threshold that would warrant it. The glitch was live for almost three years, according to the reports, but Google decided not to make the breach public because it feared regulation. The flaw exposed user data from 2015 until this past March, according to the report.
The API flaw allowed third-party app developers to access profile and contact information that chose to sign into the apps via Google.
Those who are very panicked may find solace in the fact that Google did state that the firm only keeps API log data for two weeks.
Google said it would continue to offer private Google+ powered networks for businesses now using the software.
Saikali said it was possible that Google could face class action lawsuits over its decision not to disclose the breach.
But it's not doing so exclusively out of concern for users' privacy: Smith admitted the network is not a success, saying "The consumer version of Google+ now has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds". If you don't see the downgrade page and instead see an upgrade page, you have already deleted your Google+ profile (or didn't have one).