Google discovered another bug in Google+ that could have led to the exposure of user data and will now shut down...
the service four months earlier than planned because of the issue.
The announcement came two months after the first Google+ data exposure announcement in which an API bug impacted as many as 500,000 user profiles. Google said the new bug impacted "approximately 52.5 million users."
David Thacker, vice president of G Suite product management at Google, said the latest Google+ data exposure was caused by a new API bug introduced as part of a November software update.
"We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way," Thacker wrote in a blog post. "With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users."
According to Thacker, this Google+ bug could have allowed someone to view certain profile information -- including name, email, occupation, age, relationship status and locations lived -- even if that data was set to nonpublic. Thacker claimed that none of the information exposed could be used in identity theft.
Thacker added that the company has "begun the process of notifying consumer users and enterprise customers that were impacted by this bug" and there is an ongoing investigation into other APIs to ensure no more Google+ data exposures occur.
Stephan Chenette, co-founder and CTO at AttackIQ, noted that this Google+ data exposure appears to show Google has learned from past mistakes.
"The company disclosed this bug much sooner and is trying to be more transparent. In that regard, Google has learned that while security incidents have short-term impacts on stock prices, the long-term price is heavily influenced by how the company handles public disclosure," Chenette said. "Data leaks of any kind have become far too common and are usually caused by security issues, or in Google's case, technical errors, that are easily preventable. Unauthorized exposure of any type of customer data, for any period of time, is a serious issue and organizations should always have a plan to continuously assess the viability of their security controls."
Ben Brown, product specialist at SiteLock, said it was a good decision to shut down Google+ early.
"There have been two disclosed breaches impacting over 53 million users in the last three months. By winding down Google+ early, Google can show critics that they are taking these breaches seriously as they prepare to make their case to Congress regarding protecting user data," Brown said. "Google is currently under investigation for its October 2018 breach impacting 500,000 users. With the news of an additional breach impacting over 50 million users, GDPR officials will be eager to understand the specifics of the discovered bug or vulnerability. Since there is currently no evidence that any data was actually taken, and if they have taken the proper steps to ensure compliance requirements have been met regarding customer privacy and consent, then they should be protected for the time being."