According to a report in the Wall Street Journal published Monday lunchtime, a software glitch within Google+ exposed the private profile data of hundreds of thousands of Google+ users to outside developers. The glitch was live for nearly three years, according to the reports, but Google decided not to make the bug public because it feared regulation, and has no evidence that the bug was exploited.
In response to the bug, Google is shutting down all consumer functionality of Google+. The social network, which was launched in 2011, was initially supposed to be a response to Facebook and Twitter, but it has ceased to exist outside of a handful of niche communities for years. In a blog post published right after the WSJ‘s report, Google confirmed that it is shutting down Google+, as well as confirming a number of the details from the WSJ report.
The WSJ report and Google blog both agree that Google discovered the bug in spring of 2018, although the motivation for what happened afterwards differs. According to the WSJ, it was a fear of regulation that led Google to not disclose it:
Google exposed the private data of hundreds of thousands of users of the Google+ social network and then opted not to disclose the issue this past spring, in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage, according to people briefed on the incident and documents reviewed by The Wall Street Journal.
Google, on the other hand, suggests that it didn’t see the need to disclose the bug because it was already patched, and it didn’t find any evidence that the bug was used maliciously:
We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
According to Google, data that may have potentially been disclosed only includes “static, optional Google+ Profile fields including name, email address, occupation, gender and age.” In other words, things like photos should not have been at risk.
In any case, the conclusion is the same: Google is shutting down the consumer version of Google+, citing challenges in maintaining the service effectively. The service will be wound down over the next 10 months, with the ultimate shut-down coming in August 2019.