Google Plus vulnerability exposed 500,000 users' data


Google announced on October 8 having discovered a vulnerability in the Google+ API which has been open since 2015. This vulnerability allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information. While Google only retains 2 weeks of activity logs and cannot assert the exact reach of the breach, it believes that up to 438 applications had access to these data.

While the vulnerability was discovered and fixed in March 2018 during an audit lead by Project Strobe, Google decided not to disclose it immediately because it feared regulation. According to an internal memo comparing this breach to the Cambridge Analytica scandal, internal Lawyers suggested that disclosure was not legally required because the company did not have precise information on which developer accessed what. Google also believed that notifying the end user would not benefit them in any way.

As a result Google decided to shut down the consumer version of Google+ pointing at "the significant challenges in creating and maintaining a successful Google+" and "the very low usage of the consumer version of Google+".

Publication: Google blog, HackerNews, Wall Street Journal

Writer: Google, Swati Khandelwal, Douglas MacMillan and Robert McMillan

Related learning resources
Target Profile