Google exposed the data of hundreds thousands of Google+ users due to a faulty API, according to a report by The Wall Street Journal. As part of reparations, the company is permanently shutting down Google+.
The API in question, allowed developers access to the public data of the users who signed up to use the app that used that API. The bug in the API allowed the developers to not just access the private, non-public data of the users who signed up as well as people they are connected to.
Google found up to 438 apps that used this API and 496,951 users may have been affected by this bug.
The data being stolen includes full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. There were no phone numbers, email messages, timeline posts, direct messages or any other type of communication data.
This issue has existed 2015 until Google found out about it in March 2018 and decided to fix it. Google then had a choice to inform its users but chose not to because it wasn’t legally required to and secondly, because it would draw regulatory attention towards itself. Google was afraid it, too, would become the center of attention following Facebook’s Cambridge Analytica scandal, and as such chose not to disclose the information to its users.
Google’s excuse is that it found no evidence of any of the data being misused, however, it also has no way of being sure of that. The company did not check up with any of the developers of the aforementioned 438 apps.
Google also said the consumer version of Google+ had low usage and engagement and 90% of user sessions are less than five seconds long, essentially trashing its own product to cover up. The company is henceforth shutting down Google+ to consumers.
Google is also said to working on improving security elsewhere, including restricting developer access to things such as SMS, call logs, and contact data on Android and add-ons for Gmail.