Google+ Shutdown Expedited After Discovery of a Second Data Leak – Over 50 Million Users Affected
No one was surprised when Google announced its plans to shut down Google+ by August 2019. Now, almost dead, the platform continues to cause problems for the tech giant. Apparently, a fresh new bug was introduced in Google+ that resulted in developers getting access to data of about 52.5 million users.
As a result of this fresh new security incident, the company has announced expediting the shutdown process, closing Google+ completely by April 2019 instead of August.
"We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API," the company wrote. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced."
"No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way."
While Google assures that it believes that the developers actually didn't misuse this access since they weren't aware about it and the bug was fixed within a week, the company has still changed its initial plans. "With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days," David Thacker, VP Product Management of G Suite, wrote.
"In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users."
Bug gave apps access to non-public data shared with other Google+ users
The latest Google+ security vulnerability affects the People API that enables apps to view public profile information from consenting users. However, the bug enabled app developers to get access to data that was set to not-public.
If that wasn't enough, the latest bug also allowed apps that had access to a user's Google+ profile data to also get access to the profile data that had been shared with another Google+ user privately but that was not shared publicly.
Google said that it has started notifying users, who were impacted by this security bug and the investigation continues to see if this issue had any impact on other Google+ APIs.
The company came under criticism in October when it was forced to disclose a bug that exposed the personal data of over 500,000 users. The company has been quick to report the issue this time, but it is clear that it is unable to maintain Google+ despite its low usage.
“We understand that our ability to build reliable products that protect your data drives user trust,” the company wrote today. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.”