Apparently Google+ users weren’t the only ones not paying attention to the social network. According to a report in the Wall Street Journal, Google discovered a “software glitch” earlier this year that allowed third-party developers access to some 500,000 private profile data since 2015, including “full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status.”
That’s a lot of exposed data. And to make matters worse, Google found out about it in the spring and decided not to tell anyone, reports the Wall Street Journal. The paper says the search giant said in a memo that it kept the breach private to avoid public and regulatory scrutiny. Google told the Journal that it considered “whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response, (and) none of these thresholds were met here.”
But Google is doing something about it today. In a blog post about its Project Strobe initiative, which is a “root-and-branch review of third-party developer access to Google account and Android device data,” Google announced that it will be shutting down Google+ for consumers between now and August due to “significant challenges” to maintaining a social network. The enterprise edition used by G Suite clients will not be affected by the change.
In the post, Google admits that Google+ “has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps.” Of note, it says that 90 percent of Google+ user sessions are less than five seconds.
But the shutdown isn’t just the result of low daily active users. It’s also due to the fact that Google had allowed developers access to both public and private profile fields. While Google found no evidence that developers misused this unintentional access and patched the bug in March, opting to keep this data secret isn’t cool, no matter how unpopular Google+ is.
In addition to shutting down the service, Google is also implementing several additional security features for its services, including:
- More granular Google Account permissions;
- Limiting the types of apps that are permitted to access Gmail;
- Limiting apps’ ability to receive Call Log and SMS permissions on Android devices; and
- No longer making contact interaction data available via the Android Contacts API.
That’s all well and good, but Google will still have lots of questions to answer, some of which may be addressed on the stage tomorrow during its Made By Google event where the Pixel 3 is expected to debut.
Why this matters: Wait, Google+ is still a thing? All jokes aside, Google+ still has millions of users, and any breach that affects private information is a major one. And it raises the question: If Google hid this breach from the public, how do we know there aren’t others? Google’s business model is based on trust, and hiding a potentially dangerous breach for six months is not the way to keep it.