Nearly 500,000 members of the Google+ social networking site had their user profile data left out in the open, easily accessible to third-party developers for over two years. Instead of reporting this to subscribers of the service, Google decided to just let it slide so that it wouldn't be subject to investigation by regulatory agencies. As a result of a software bug related to the APIs used for Google+, 438 apps potentially had access to names, birthdates, email addresses, profile photos, occupations and more data covering 496,951 Google+ users.
While Google says that it has no evidence that any of this information was misused, the data was left out in the open from 2015 to March 2018. That's when Google finally shut the door on the bug. An internal Google memo said that if it reported the issue, it would result in Google "coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal." A Google spokesman says that while the company was trying to decide whether or not to go public about the security breach, the company took into consideration "whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met here."
Google said today that it has decided to shut down the consumer version of the Google+ app. This was not a successful venture for Google, and the latest data showed that 90% of sessions on the app were lasting less than five seconds long. The company says that it also will cut back on the amount of data belonging to Android and Gmail users that is available to outside developers. Google plans to change the way apps ask for permissions, giving Android users more control over which permissions they want to give. In addition, Google is limiting the ability of Android apps to obtain Call Log and SMS permissions on Android devices, and is no longer allowing access to contact interaction data through the Android Contacts API.
Going forward, Google could face legal action for its failure to report the security breach to the public. Whether it was legally responsible to do so isn't totally clear. The company says that in the coming months, it will tighten up controls and policies for its APIs. By doing this, it hopes to make users of Google's apps confident that their data is secure.