The Wall Street Journal reported on Monday that a bug discovered in March may have granted access to the private data of nearly half a million Google+ users.
Google+ is search engine giant Google’s social network, which since its 2011 inception was often the butt of jokes for being a largely unused attempt to copy Facebook.
Out of fear for “immediate regulatory interest,” write the WSJ‘s Douglas MacMillan and Robert McMillan, Google chose not to reveal the data breach to the public.
What Happened
As part of its overarching Project Strobe third-party app developer data access review system, Google discovered (and reportedly fixed) in March a bug that mistakenly allowed these developers access to Google+ user profile information fields that had been marked as private.
These fields include name, email address, occupation, gender and age. According to Google’s official statement, the information potentially exposed “does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.”
According to a memo reviewed by and two parties close to the incident who spoke with the WSJ, the bug has existed since 2015. In between that time and discovery of the bug this past March, 496,951 users shared this private profile information with a friend who could, in turn, have had it improperly obtained by a third-party developer.
As many as 438 applications could have used the API that would allow access to this profile data.
Google has asserted that it “found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.”
However, Google has also implied that it does not know the full extent of the data breach, noting that it “cannot confirm which users were impacted by this bug.”
Since Google only maintains activity logs related to this type of app activity for two weeks at a time — and since the bug has existed since 2015 but wasn’t discovered until nearly three years later — the full extent of the breach remains unclear. Google, says the WSJ, is still “unable to determine … what types of data may potentially have been improperly collected.”
What Comes Next
Google has said it will now sunset Google+, after years of seeming willfulness in doing so. Now, however, the company has emphasized what a low rate of usage was experienced by the app among personal account users.
dark comedy: google plus PR spent five years trying to dissuade writing about the network’s absymal usage numbers
now that it leaked everyone’s data, google can’t get enough of telling people how no one used it https://t.co/iGocHG7vpA
— rat king (@MikeIsaac)
October 8, 2018
Moving forward, Google said, it will pivot to rebuilding Google+ as an enterprise network, noting that “Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network.”
Perhaps in response to this breach, Google is also rolling out new security and privacy changes, namely the visuals seen by users when apps are requesting access to various parts of their Google accounts.
Instead of a single “sign in with Google screen,” each item to which the app is requesting access — e.g., Google docs, Google calendar, Gmail, et cetera. — will have its own permission dialog box.
Source: Google
Google CEO Sundar Pichai is expected to testify before Congress in November, where he will likely be questioned by U.S. lawmakers about both the breach itself, as well as the company’s decision not to disclose it to the public.
What Marketers Should Know
If your marketing efforts have at all focused on Google+, be aware that it will sunset over a period of ten months, and is predicted to shut down completely in August 2019.
However, in its pivot to rebuilding as an enterprise-level network, it is unclear what will become of branded pages and profiles that currently exist on Google+. The company has said that it will inform individual users of how to download and migrate their data, but has not indicated how business profiles will be impacted.
This story is developing and will be updated as more details emerge.
