A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant acknowledged Monday.
Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.
The company didn’t disclose the vulnerability when it fixed the problem in March because it didn’t want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.
Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google+ had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.
“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations,” Ben Smith, vice president of engineering, said in a blog post. “Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.”
The news comes as Silicon Valley companies have been increasingly scrutinized for their data collection practices. Facebook brought the issue to the forefront in March after its Cambridge Analytica scandal, in which a UK-based digital consultancy harvested data on 87 million Facebook users without their permission.
Google has already drawn controversy over its data collection practices. In July, the company was criticized after reports that employees for third-party email apps could read our emails if we integrated those apps with our Gmail account. Google was hammered again a month later, when the Associated Press revealed the company was tracking users’ locations even after they’d turned off their phones’ location history setting.
Last month, Google Chief Privacy Officer Keith Enright — alongside representatives from other tech and telecom giants including Apple, Amazon and AT&T — testified before the Senate on privacy practices in Silicon Valley. Google CEO Sundar Pichai reportedly is expected to take the hot seat in another congressional hearing after the US midterm elections in November.
Google+ launched with much fanfare in 2011, positioned as the search giant’s answer to Facebook. But the social network never gained traction among consumers. Google eventually peeled away some of the services’ most popular features, including Hangout chats and its photo capabilities, and put them into standalone apps. On Monday, Google said 90 percent of Google+ sessions today last less than five seconds.
The search giant said it’ll shut down Google+ by the end of next August to give people a chance to migrate their information and get used to the transition. After Google announced the social network’s shutdown, even people who helped launch the product said the time had come to end it.
“As a tech lead and an original founding member of Google+, my only thought on Google sunsetting it is… FINALLY,” tweeted David Byttow, a former Google engineer.
Specifically, the issue disclosed Monday came through one of the Google+ “People” APIs, a developer tool available to third-party app developers. Still, outside app makers weren’t supposed to have access to private profile information. The API was designed to only keep logs for two-week periods. Even in that short amount of time, Google’s audit found that nearly half a million Google+ accounts could have been affected in just 14 days’ worth of analysis.
The company said it often notifies users when there are security issues and flaws and user data is affected, but its privacy and data protection office said the bug didn’t meet the threshold. The office looks at what data was taken, if affected users need to be informed, if there was any evidence of data abuse, and whether users could effectively respond.
Ireland’s data protection regulator said Tuesday that it would seek more information from Google about the security vulnerability, according to Reuters.
“The Data Protection Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google,” it told the outlet.
Google does not yet have a lead European Union Supervisory authority because the breach apparently occurred before the EU’s General Data Protection Regulation (GDPR) privacy law came into effect in May, Reuters noted. As a result, all EU data protection authorities can engage with the company about it.
First published on Oct. 8 at 10:12 a.m. PT.
Updated on Oct. 9 at 7:10 a.m. PT: Adds Irish data protection regulator’s statement and GDPR detail.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
Special Reports: CNET’s in-depth features in one place.