According to the Wall Street Journal, Google+ suffered a data breach that exposed the details of hundreds of thousands of users and is now shutting down.
The social media network had always been the bud of the joke between users ultimately failing in its goal to replace Facebook, but this data breach is apparently the final nail in the coffin.
А software vulnerability gave external developers on Google+ access to private Google+ user data for years; between 2015 and 2018. Those developers were granted access to user data including names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. Additionally Google also discovered that Google+ had been permitting developers to obtain data from users who never wanted it to be shared publicly — but a bug in the API meant they could collect data even if it was explicitly marked non-public through Google’s privacy settings.
Google found the software bug in its API in March 2018, though it had existed since 2015. The biggest controversy though, comes from the fact that they opted not to disclose the breach to users, instead sweeping the situation under the rug, hoping nobody would notice.
An internal memo shows that Google hid the breach in an effort to disassociate itself from the Facebook Cambridge Analytica Scandal that was on the news front at the time. The memo warned that disclosing the incident publicly would possibly trigger “immediate regulatory interest” and do damage to the company’s reputation.
Google’s explanation as to why they hid the breach is mostly based on the nature of the information claiming that the leaked data is just Profile fields like name, email address, occupation, gender and age. Other data like posts, messages, Google account data, phone numbers or G Suite content had remained safe. Google says that the data of half a million people was compromised, but because they only log data for two weeks, they’re unable to say who was impacted. They also insist that there is no “evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused”
Fortunately for Google the breach occurred before the implementation of the GDPR and will not be held liable for not disclosing the breach within 72h of discovery.