Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal. It also said that it would strengthen Android app permission requirements to give users more fine-grained control over their mobile phone data, and that it would make it harder for apps to access sensitive information, like SMS messages and call records. Google said in a blog post that almost 500,000 users may have been impacted, but because the company keeps the log data from this specific API for only two weeks at a time, it can't fully confirm who was truly impacted and who was not. "The consumer version of Google+ now has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds", the company said in a statement.
The incident also marks the beginning of the end for Google+, which the company plans to shut down over the next year.
The enterprise version of Google+ is to continue. The flaw exposed user data from 2015 until this past March, according to the report.
Although the bug was discovered many months ago, Google didn't disclose it right away.
You see, Google+ users could grant access to their profile data to third-party apps - just like users could with Facebook and Twitter.
Google said it had reviewed the issue, looking at the type of data involved, whether it could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take.
As for what info was exposed, it's reported that "full names, email address, birth dates, gender, profile photos, placed lived, occupation, and relationship status" were all up for grabs.
The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers' expectations. They were able to determine that the bug was not misused during the two weeks that they had log data.
If you break down Google's announcement to the core you will realize that Google made a decision to shut down Google Plus because of low user interaction with the service and the prospect of investing lots of resources into the service to make it more attractive to users.
As for consumers, Google is now promising new security rules and tools to avoid a similar goof again.
Along with this, Google will also force app developers to provide more detailed explanations of what it intends to do with your Google Account if it's requesting access to it.