Dec 10, 2018 2:19 PM

A New Google+ Blunder Exposed Data From 52.5 Million Users

A month after Google had already decided to shut down Google+, a new bug made its problems much, much worse.

In October, Google dramatically announced that it would shut down Google+ in August 2019, because the company had discovered through an internal audit (and a simultaneous Wall Street Journal exposé) that a bug in Google+ had exposed 500,000 users' data for about three years. Maybe it should have pulled the plug sooner.

On Monday, Google announced that an additional bug in a Google+ API, part of a November 7 software update, exposed user data from 52.5 million accounts. Or as Google puts it, "some users were impacted." Google found the flaw, and corrected it by November 13. This means that app developers would have had improper user data access for six days. Google says it doesn't have any evidence that the data was misused during that time, or that Google+ was compromised by a third party. But the company is now moving up Google+'s termination date to April, and it will cut off access to Google+ APIs in 90 days.

"Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue," David Thacker, Google's vice president of product management, wrote in a blog post on Monday. "We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. ... We want to give users ample opportunity to transition off of consumer Google+."

The bug exposed Google+ profile data that a user hadn't made public—things like name, age, email address, and occupation—and some profile data shared privately between users that shouldn't have been accessible. The flaw did not expose financial data, passwords, or any other identifiers like Social Security numbers. Some of the exposed data overlaps with information that was at risk through the other Google+ bug that impacted 500,000 users. But the two exposures are distinct, unlike situations where a company announces an estimate of total victims after a data breach, and then revises that estimate later after conducting a full investigation.

The announcement comes as Google has slogged through a series of prominent privacy and data management gaffes. And while the company's response to this Google+ exposure was quick and thorough, Google has had ample practice on privacy incident response this year alone.

"This didn't impact passwords or financial data, but it did give the ability to extract large amounts of information like email addresses and profile data," says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. "Issues like these, which have direct security implications, reflect the world we live in today with agile development. The whole goal is to get code and features out to customers faster, but with that comes the risk of exposure and introducing something like this."

Kennedy also points out that Google's quick detection is heartening, because it means the company is still actively testing security on Google+ even in its final days. After the incidents revealed in October, though, it seems like the least the company can do.

Google is notifying impacted users about the exposure, and there's probably not much you need to do to respond except hightail it off of Google+ if you're still using the service. May it rest in peace.