October 10, 2018

Bug in Google+ exposes personal data of 500,000 users


On October 8, Internet search giant Google stated that a bug in the Google+ social network exposed the personal data of up to 500,000 users using the site between 2015 and March 2018 to external developers.

Notably, according to Google, there was no evidence of data misuse. Nevertheless, owing to this incident, Google has planned to shut down the social network permanently.

Google stated that it found the bug as part of an internal review called Project Strobe, which is a root-and-branch review of third-party developer access to Google account and Android device data and of its philosophy around apps’ data access.

Google had started Project Strobe at the beginning of 2018. This project looked at the operation of its privacy controls, platforms where users were not engaging with its APIs because of concerns around data privacy, areas where developers may have been granted overly broad access, and other areas in which its policies should be tightened.

The bug gave apps access to Profile fields that were shared with a user, but not marked as public, including details like email addresses, gender, age, images, relationship statuses, places lived, and occupation.

As part of Project Strobe, Google discovered a bug in one of Google+ People APIs. The API was designed to only keep logs for two-week periods. Google stated that it cannot confirm which users were impacted by this bug. However, after a detailed analysis, Google found that the profiles of up to 500,000 Google+ accounts were potentially affected and that up to 438 applications may have used this API.

Google, nevertheless, said that it had not found any evidence of a developer being aware of this bug, or abusing the API, and that it had not found any evidence that Profile data was misused.

In this regard, Ben Smith, Google’s Vice-President of Engineering, said, "The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers' expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+."

Giving nearly 10 months’ time to people for moving their information and getting used to the transition, Google stated that it will shut down Google+ by the end of August 2019.

Notably, Google said that it often notifies users when there are security issues and flaws and user data is affected, but its privacy and data protection office said the bug didn't meet the threshold. The office looks at what data was taken, if affected users need to be informed, if there was any evidence of data abuse, and whether users could effectively respond.

In this regard, the Data Protection Commission said, "The Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals, and we will be seeking information on these issues from Google".

Related Post

latest News

  • Reliance Industries’ fashion brands unit buys Rhea Retail for $30 mn

    On June 8, Billionaire Mukesh Ambani-led Reliance Industries Ltd has acquired Rhea Retail Pvt. Ltd for Rs 203.46 crore ($30 million). It is a label un...

    Read More
  • NCLAT dismisses Mistry’s petition; grants waiver to move again to NCLT

    The National Company Law Appellate Tribunal (NCLAT) has allowed to Cyrus Mistry, a waiver to move on the merits which the Mumbai Bench of NCLT had not...

    Read More
  • Framing Of Uniform Guidelines For Designating Lawyers As “Senior Advocates”: SC

    On March 22, the Supreme Court referred to a larger bench a batch of petitions, including the one filed by former Additional Solicitor General Indira ...

    Read More