Google data breach: Google Plus shutdown after API bug exposed 500,000 users’ data

  • The API bug, if exploited, could allow third-party apps to gain access to the public profile information of Google Plus users’ friends.
  • The Google’s report claims that 438 third-party apps may have used the Google Plus API.

Google has shut down Google Plus after it’s engineers discovered an API bug that may have exposed the private information of over 500,000 users. Google Plus contains a trove of data that includes name, email address, occupation, gender and age of users.

According to Ben Smith, Google Fellow and Vice President of Engineering, the API bug was discovered as part of Google’s Project Strobe. In the beginning of 2018, Google launched Project Strobe to review the overall security of its products, including its privacy control operations.

Impact of the breach

The API bug, if exploited, could allow third-party apps to gain access to public profile information of Google Plus users’ friends.

“Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public,” Smith said in a blog.

Although Google has not found any evidence of misuse of profile data, Smith confirmed that the company’s internal analysis found that 438 third-party apps may have used the Google Plus API.

“We found no evidence that any developer was aware of this bug or abusing the API, and we found no evidence that any Profile data was misused,” said Ben. “Our analysis showed that up to 438 applications may have used this API.”

Smith explained that Google discovered the bug in March 2018, following which a patch was applied immediately. The bug emerged after changes were made to Google Plus’ code.

“We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change. We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks,” Smith explained.

“That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected.”

Google Plus to retire in 2019

In comparison with other social media networks like Facebook and Twitter, Google Plus is fairly low on popularity with users. Following the breach, and given Google Plus’ lack of popularity among users, Google has decided to completely deactivate Google Plus in August 2019.

“The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+” Smith added.

“To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data,” Smith said.