Google is shutting down the Google+ social network for consumers following a report that it withheld details of a data breach because it feared a public backlash.
The search giant on Monday revealed the existence of an audit called Project Strobe and that as a result of its findings it will shut down the unpopular Google+ social network after discovering a breach affecting as many as half a million users. The company also vowed to take steps to secure user data from developers who may have been “granted overly broad access”.
“We are shutting down Google+ for consumers,” Google said in the blog titled “Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+”.
Murdoch-owned paper, the Wall Street Journal, on Monday reported that hundreds of thousands of Google+ users had data exposed through a vulnerability in the service, which Google launched in 2011 as its answer to Facebook.
The paper said that Google execs didn’t want to disclose the breach because it could draw comparisons to Facebook’s Cambridge Analytica scandal, which resulted 87 million users’ data being exposed to the political consultancy via a third-party app on Facebook. The execs also weren’t comfortable with the prospect of extra regulatory attention.
Google told the WSJ that prior to deciding whether or not to disclose the incident, it looked at whether it had the necessary information to inform affected users, whether there was evidence of misuse, and whether there were any actions a developer or user could take in response to it. Google has no evidence to say whether the information leaked was misused by anyone.
Exposed information includes user names, email addresses, dates of birth, profile pics, places lived, occupation, and relationship status. It didn’t include phone numbers or content created by users, according to the report.
Google said Project Strobe reviewed third-party developer access to Google account and Android device data. The review focussed on Google’s application programming interfaces (APIs) and found that over 400 could have been used maliciously.
Google said it patched a bug in March that gave apps access to Google+ profile fields that weren’t marked as public. This detail was listed among six key findings it shared about the audit.
"We ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API," said Ben Smith Google fellow and vice president of engineering.
“This project looked at the operation of our privacy controls, platforms where users were not engaging with our APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which our policies should be tightened,” he added.
The key findings included:
- Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
- The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
- This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
- We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
- We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.
- We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.