Google is closing social media network Google+ in the latest of a long line of data breaches.
The internet giant says 500,000 accounts were compromised earlier in 2018, but bosses decided to keep quiet about the leak because they feared reputational damage, executives hauled before government inquiries and fines.
The leak happened around the time Facebook was facing a storm of bad publicity about the Cambridge Analytica data harvest in March 2018.
Programmers uncovered a bug in the Google+ code that allowed third-party developers to access personal data of users and their online friends.
Executives were worried Google would face the same public and regulatory backlash as Facebook so asked lawyers what to do.
Bug in code
The data breach was revealed in a company blog announcing the demise of Google+.
The blog says Google know there’s a bug in the Google+ code, but they cannot say how many users were exposed to a data breach as software logs are only kept for two weeks.
“We ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API,” Ben Smith, Google’s vice-president of engineering wrote in the blog.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused.”
Smith goes on to explain that the company then looked at the potentially leaked data, if affected users could be identified, evidence of data misuse and what response could be made to the incident.
Gmail security under scrutiny
“None of these thresholds were met in this instance,” he wrote.
Google+ for non-business users will close by the end of August 2019, he added.
Smith also took the opportunity to announce Google is limiting the number of apps authorised to access Gmail accounts.
“We are updating our User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access your consumer Gmail data,” he wrote.
“Only apps directly enhancing email functionality—such as email clients, email backup services and productivity services – will be authorised to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments.”