Did you forget that Google+ still exists? It does, though not for much longer. The Wall Street Journal reported today that Google discovered a major security issue on the social network this spring, but opted not to release the information to the public. Now the company has announced new privacy measures for its products and is shutting down the underused platform.
According to a company blog post, Google engineers first discovered the security issue while conducting an audit of its platforms called “Project Strobe.” A software glitch allowed third party developers to access to users’ private information, including age, gender, occupation, and email address. Google states that up to 500,000 accounts may have been affected, and that up to 438 third-party apps may have accessed the data. The bug gave developers potential access to the data from 2015 until March 2018, when engineers fixed the issue.
The Wall Street Journal reviewed internal documents at Google and found that the company’s legal staff warned against sharing the information publicly, fearing increased scrutiny from government regulators and damage to the company’s reputation. Google lawyers also determined that the company was not legally required to disclose information about the bug. In a statement, a Google spokesman explained the decision to the Journal, and noted that the company assessed “’whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response,” he said. “None of these thresholds were met here.’”
The Google blog post asserts that there is no evidence that the information was used for nefarious purposes, and no evidence that any outside developer knew about the bug. But it also acknowledges that because the company deletes third party access data after two weeks, Google auditors cannot say for certain which users were impacted by the glitch or what data outside developers may have obtained.
In response, Google will be revising the way users set security permissions for sharing Gmail, SMS, phone, and other data with third party apps. The consumer version of Google+ will shut down in August 2019, though Google plans to retain and upgrade a version of the platform for business use.