Some time ago, on October 8, 2018, Google came out and admitted to a data breach in its Google+ social network, because of a software bug. This bug resulted in close to 500,000 user accounts getting compromised. There is no proof available so far that any user’s personal information was misused. If you recall, not too long ago, Google had to allay fears among its users that the developers were being given access to the users’ Gmail accounts, and could potentially misuse them.
As per an article published in the Wall Street Journal, Google chose not to come out with the details in the open, regardless of the fact that the data belonging to so many users was at risk. The company feared major damage to its reputation.
What exactly happened?
In the period between 2015 and March 2018, a good number of outside developers were potentially able to access the personal Google+ data of the users, because of a software glitch in the system. Although an internal memo warned about the potential ‘regulatory interest’, if the leak was made public, leading to comparisons with Facebook and the likes (owing to the Cambridge Analytica scandal), no notification was sent to the users of the social network.
Google+ users normally provide access to their profile data to the apps run by Google+, through API. This bug resulted in apps getting access to all their profile fields, including the ones not marked as public. Google clarified in a statement that this data is usually limited to only optional and static Google+ profile fields, such as the name, age, gender, occupation and email address. The tech giant said in a statement, “It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”
As Google keeps the log data of APIs for no more than two weeks, it wasn’t sure about the users that were impacted by this glitch. However, after carrying out detailed analysis that spanned over two weeks, before the bug was patched, Google disclosed that close to 500,000 accounts were impacted. The company claims that no evidence was found of developers being aware of this bug, or any account abuse happening.
It also posted the following on its blog, “”Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
As per an announcement made on the company’s blog, Google will be ‘sunsetting’ the Google+ service for general consumers and offer it only to the business customers from here on. It is also putting processes in place to tighten up its security systems, as well as various privacy measures throughout the Google suite. The company will also roll out various additional controls in the near future and will update the policies associated with its APIs.