The bug was located in the Google+ People API
The company said the bug was located in the Google+ People API. By default, Google+ users can grant access to their profile data to third-party apps. Just like with Facebook and Twitter, Google+ users can also allow a third-party app to access the public profile information of a user’s friends.
In a blog post, Ben Smith, Google fellow and vice president of engineering, said the bug allowed third-party apps to also gain access to users’ data that was marked private, not just the public data the apps would have normally been allowed to see.
According to the Google+ Profile API documentation, profile fields can store a treasure trove of sensitive user details such as such as name, email address, occupation, gender, age, nickname, birthday, just to name a few.
The bug was patched in March 2018
Google said it discovered and immediately patched the API bug in March 2018.
“We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change,” Smith said. The company said it found “no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
Google said it couldn’t determine which users were impacted by this bug because the API was designed to keep logs for only two weeks, and it didn’t have access to historical data longer than that.
“However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected,” Smith said. “Our analysis showed that up to 438 applications may have used this API.”
The bug might have leaked user data since 2015
A Wall Street Journal report published at the same time with Google’s blog post claimed the API bug was far worse, and might have leaked user data since 2015, being only discovered when Google engineers started prodding Google sites for privacy leaks in preparation for the EU GDPR deadline. The same report claimed Google covered the incident instead of making it public, fearing “immediate regulatory interest.
As for Google+, the search giant won’t miss it that much because the site never got off the ground with end users. Google said that 90 percent of all Google+ sessions don’t last more than five seconds, confirming rumors that the site was more of a ghost town, when compared to Twitter and Facebook.
Google+ will retire in August 2019
Smith said Google+ would wind down over the next ten months, during which time users will be able to download or migrate their data, and the site would be permanently retired in August 2019.
As part of its breach disclosure blog post, Google also announced new privacy features for Google accounts and user data.