The private data of nearly half a million Google+ users was exposed to third-party developers, and Google failed to notify anyone. A bug in Google+ APIs meant that users’ names, email addresses, occupations, gender and age were accessible from 2015 until Google discovered and patched the problem in March this year.
The private data of nearly half a million Google+ users was exposed to third-party developers, and Google failed to notify anyone. A bug in Google+ APIs meant that users’ names, email addresses, occupations, gender and age were accessible from 2015 until Google discovered and patched the problem in March this year.
Despite the data possibly having been accessed by 438 apps, Google chose not to go public about the security breach until now. And in a dramatic move, the company has announced that it is shutting down Google+ for consumers. Google has also revealed details of Project Strobe, an audit program through which it discovered the problem.
See also:
The data breach was revealed by the Wall Street Journal today, and it wasn’t long before Google published a detailed blog post outlining its own findings and the action it is taking. Google says that a bug in the Google+ People APIs “meant that apps also had access to Profile fields that were shared with the user, but not marked as public”.
Apparently trying to play down the significance of the matter, Google says that Google+ has not proved particularly popular or successful: “it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds”.
In what many will regard as a somewhat drastic move, Google is shutting down Google+:
Google+ will now pivot to an enterprise-only service — although building up trust after this incident may prove tricky — and Google says it will provide more information in the coming days:
The company also says that it is introducing a number of changes to address user concerns, the first of which is more granular control for Google Account permissions. This means that permissions will not all be thrown at users in one dialog:
Secondly, access to the Gmail API is going to be limited to only those apps that directly enhance email functionality. New data-handling rules will be introduced and — like for Chrome extensions — more rigorous security assessment will be carried out.
Finally, Google will limit apps’ ability to receive Call Log and SMS permissions on Android devices, and the Android Contact API will no longer provide access to contact interaction data. Google explains:
Image credit: dennizn / Shutterstock
