Google exposed personal data of nearly 500,000 and didn’t disclose it

Google has chose to shut down its social media website Google+ after a massive data breach which potentially exposed data of over 500,000 users.


Parent company Alphabet’s shares declined following the report of the software glitch.

This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. Thankfully, according to Google, no developer was aware of the bug, was misusing the Google+ API, or had misused private data from users’ profiles.

According to WSJ’s report, the Google+ privacy issue was due to an API that allowed third-party developers to collect users’ friends data, even if that data was set to non-public.

Google+ is an Internet-based social network that was launched in June 2011 and is owned and operated by Google. This is likely why an internal committee reportedly made the decision to keep the vulnerability a secret and briefed Google CEO Sundar Pichai about their plan. Google says that there was no evidence that the information was misused, but that a total of 438 apps had access.

In a statement to BleepingComputer, a Google Spokesperson said that their Privacy & Data Protection Office felt it was not necessary to disclose as it did not meet the threshold that would warrant it.

A software bug in Google+ meant that the personal information of “hundreds of thousands” of users was exposed. Info that was not exposed includes email messages, Google+ timeline posts, direct messages with other users, phone numbers and “any other type of communication data”.

Ortega said such delays in reporting data leaks could become more common among technology companies as they looked to protect their reputation in the wake of legislation and privacy laws. Google has also advised they will remove access to the contact interaction data from the Android Contacts API which allowed apps to show you your most recent contacts, within the next few months. The bug appears to have been active between 2015 and 2018. Somehow, the intimate data of the first user would be included in the collection profile.

Meanwhile, the company said it was unable to confirm which accounts were affected by the bug it discovered, but an analysis indicated it could have been as many as 500,000 Google+ accounts.

However, it sounds like Google was ready to shut down the platform regardless of this issue, citing in its announcement the consumer version’s “very low usage”.


Lastly, Google says it’ll be limiting access to its Gmail APIs and be stricter about what apps in the Play Store can access call logs and SMS permissions on Android devices.

Google exposed personal data of almost 500,000 and didn't disclose it