Over 500,000 Google+ users are reported to have been affected by a data breach that took place several months ago. What is more interesting is that Google's (and Alphabet) executives were aware of the breach but decided not to disclose it publicly for fear of inviting government scrutiny.
As a result of the data breach, Alphabet has decided to shut down all consumer access to Google+.
"Over the years we’ve received feedback that people want to better understand how to control the data they choose to share with apps on Google+. So as part of Project Strobe, one of our first priorities was to closely review all the APIs associated with Google+. This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds. Our review showed that our Google+ APIs, and the associated controls for consumers, are challenging to develop and maintain."
Unreported data breach
Data breaches, especially with big platforms and companies as victims, have become common and are somewhat expected. What makes the Google+ breach shocking is how Sundar Pichai (CEO at Google) and other Google executives were briefed on the breach but decided not to disclose it to users or anyone else for fear of "immediate regulatory interest."
Also of concern is how, before it was fixed, the API gave outside and non-authorized developers access to private Google+ user profile data for a period of 3 years before it was discovered and fixed in March 2018.
"At the same time, we have many enterprise customers who are finding great value in using Google+ within their companies. Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network. Enterprise customers can set common access rules, and use central controls, for their entire organization. We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days," reads a Google statement.
Apparently 438 apps were able to exploit this API flaw and access Google+ users profile data they were not authorized to access. However, Google has said that none of the apps or developers looked suspicious. A rather worrying reason considering that initially Google wanted to conceal this data breach and have managed to do so for months.
It will be interesting to see how USA policy makers react to this news as it comes a few weeks after a Facebook security issue, similar to the Google+ one, which is said to have affected approximately 50 million users.