Google is notifying more than 52-million users via email that their non-public data was exposed to developers for six days in November 2018, due to a bug in a Google+ system update.
As a result, the search giant has accelerated closing down the Google+ social network, a move first announced in October 2018. It said the service would be closed in April 2018 due to a combination of it being hard to maintain and the platform’s low consumer usage. However, that announcement came in the wake of news that half-a-million users’ data had been exposed between 2015 and March 2018.
The company’s second data leak in 2018 arose from an update launched by the social network’s developer team, containing a bug which went unnoticed for six days until it was picked up by a standard testing procedure.
“No third party compromised our systems,” said David Thacker, VP of G Suite, in a blog post, “and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”
The company says it may not have evidence of the extent of the because Google+ servers do not keep software connection logs for more than two weeks. This makes it impossible to analyse evidence of a breach when investigations happened two weeks after the bug was discovered.
Thacker said that the team had “decided to expedite the shut-down of all Google+ APIs”. Developers who make use of the platform’s APIs will no longer be able to use them after 10 March 2019.
“While we recognise there are implications for developers, we want to ensure the protection of our users,” said Thacker.
Google’s investigation into the impact of the bug has revealed that:
- Approximately 52.5 million users have been affected by the leak.
- Apps that requested permission to view profile information from a user’s Google+ profile, like their name, email address, occupation, and age, were granted permission buy the API to view non-public profile information about that user
- apps had access to the profile data that had been shared with the consenting user by another Google+ user, but that was not shared publicly.
Google+ users who are affected will be contacted by Google with a list of applications which have had unauthorised access.
Users have until April 2019 to download their data from here before the service is taken down.