A bug connected to a Google+ API potentially exposed the profile information belonging to 52.5 million users of Google’s social network.
According to David Thacker, VP of Product Management for G Suite, a software update in November introduced the weakness. This bug enabled apps that requested visibility of 52.5 million Google+ users’ name, email address, occupation, age and other profile information to view their profile details even when set to not-public. It also gave these apps access to profile data which another Google+ user had privately shared with the consenting user.
Google’s team looked into the issue and determined that it had not exposed users’ financial data, passwords or other information which could be abused for identity theft. They also found no evidence of a third party having compromised Google’s systems or of a developer having misused the access.
Thacker said that the team fixed the issue within a week of its discovery and began notifying affected consumer users and enterprise customers. He also announced that Google will now accelerate the retirement of its social network in response to this bug, which comes just a few months after another weakness affected 500,000 Google+ users’ profiles. Specifically, he said that Google will move to retire all Google+ APIs within the next 90 days and will shut down the consumer version of the platform by April 2019, four months earlier than originally communicated.
“We understand that our ability to build reliable products that protect your data drives user trust,” said Thacker in a blog post. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.”
A full list of profile information potentially exposed by this latest weakness can be found here.