Another Google Plus API bug exposes private data of 52.5 million users

  • Google acknowledged that a second API bug in Google Plus could have impacted approximately 52.5 million users.
  • Google has also decided to prepone the shutdown date for the consumer version of Google Plus from August 2019 to April 2019.

Google Plus likely exposed the personal data of over 52 million users, thanks to a second API bug. The bug was discovered during standard internal tests and was fixed within a week of it being discovered.

Upon discovery of the second bug, Google decided to prepone the shutdown date for the consumer version of Google Plus from August 2019 to April 2019. Google initially planned to shut down its Google Plus social network after it discovered an API bug in October 2018, that might have exposed the private data of more than 500,000 users.

Google revealed:

  • It discovered an API bug during the standard and ongoing testing procedures, adding that no third-party entities compromised its systems.
  • Google confirmed that there is no evidence that app developers accidentally gained access to sensitive data for six days, or misused it in any way.
  • The tech giant decided to expedite the shutdown of all Google Plus APIs within the next 90 days.
  • It has also started notifying affected users about the incident.
  • It is investigating any potential impact to other Google Plus APIs.

More about the investigation of the bug

  • Google confirmed that the bug impacted almost 52.5 million users in connection with a Google Plus API.
  • With respect to this API, apps that requested permission to view Google Plus profile information were granted permission to view users’ data. Users who set their profile to not-public also had their profile data exposed.
  • The profile information exposed included data such as names, birthdates, age, occupations, skills and more.
  • Apps with access to a user's Google Plus profile data also had access to the profile data that had been shared by another Google Plus user, whose profile was not shared publicly.
  • The bug did not give developers access to any sensitive information such as financial data, national identification numbers, or passwords.

“We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone,” Google said in the report.

“We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered,” Google added.