Google+ is shutting down after a data leak affected 500,000 users due to a security flaw that no one fixed.
The Wall Street Journal reported on Monday, 8 October, that Google detected the flaw earlier this year, but that the tech giant failed to inform users that their data may have been compromised. It did so “ because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”
Google conducted an internal review called Project Strobe, which discovered an API bug that granted access to information on a users’ profile which hadn’t been marked as public. The company says it did resolve the bug shortly after it was discovered in March of this year, 2018, but its tight-lipped way of dealing with it did not go completely unnoticed.
Because Google+ never gained much traction as a social media site and interest was waning, no one thought it would be that much of a big deal that user data was compromised. According to VP of Engineering, Ben Smith, as many as 500,000 accounts could have been affected, but only information like name, email address, occupation, gender, and age. Google does claim, however, that it has no evidence to suggest any third-party developers took advantage of the bug while it was being dealt with.
“Over the years we’ve continually strengthened our controls and policies in response to regular internal reviews, user feedback and evolving expectations about data privacy and security,” read a Google blog post by Ben Smith.
“Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.”
“Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Google+ will be shutting down for consumers and will be gone next August, but it will remain as an enterprise product for companies. In addition to the shutdown, Google is revamping its account permissions to allow users to pick and choose which data they share with third-party apps. These apps will have a limited ability to access private data outside of specific use cases.