Google has disclosed another privacy leak from Google+, this time affecting millions of users, and now says it will push forward the shutdown forward from August to April.
Today, Google revealed that another bug in its social network that exposed private details of 52.5 million Google+ users, or ten times as many users affected by the leak that Google announced in October when it revealed plans to sunset Google+ for consumers.
The latest leak was only available to developers for about one week in November, and was discovered during a routine security check, Google said in a blogpost today.
The source of the leak was an update in November that affected a Google+ API and gave app developers access to profile information on accounts that were configured by users to be private. In other words, Google shared the information with developers without gaining user consent.
Additionally, if Google+ users had willingly shared profile data with other contacts, apps had access to that data.
Information leaked to developers included a user’s name, email address, occupation, and age.
Google notes the leaked data didn’t include information about users’ financial data, national IDs, and passwords. So users may face additional phishing threats, but likely won’t be impacted by identity theft.
"We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API,” Google said in the blog.
“We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”
Google delayed disclosing the Google+ leak affecting 500,000 users by eight months, fearing it could attract attention from regulators amid ongoing probes into Facebook’s leak of 87 million users’ data to political consultancy Cambridge Analytica.
The leak happened as Europe was gearing up to roll out out stricter privacy regulations under GDPR, which allow national authorities to impose fines of up to four percent of an organization’s annual global revenue.
A UK ‘fake news’ parliamentary committee last week published internal Facebook emails detailing sensitive internal discussions between 2012 and 2015 that showed select customers, including Netflix and Lyft, were given a free pass to access user data that other developers were blocked from in 2014.
Google says it will shut down all Google+ APIs for developers within the next 90 days, ahead of the accelerated April 2019 timeframe for closing off access to consumers. Google intends to continue supporting Google+ for enterprise customers.
The company confirmed that enterprise customers were impacted by this bug.
“We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered,” Google said.