Breach Notification , Data Loss Prevention (DLP) , Governance & Risk Management

Fresh Google+ Bug Exposed 52.2 Million Users' Data

Google Advances Date for Mothballing Google+ Social Network for Consumers
Fresh Google+ Bug Exposed 52.2 Million Users' Data
Google's campus in Mountain View, California. (Photo: Shawn Collins via Flickr/CC)

Google on Monday warned that a buggy API update introduced in November to its soon-to-be-mothballed Google+ social network exposed personal information for 52.2 million users.

See Also: OnDemand | 2023 OT Cybersecurity Year in Review: Lessons Learned from the Frontlines

The security alert arrives just two months after Google belatedly admitted that data from an estimated 500,000 accounts had been exposed in March, due to a problem with the same API. But Google only revealed that data exposure in October, following inquiries from the Wall Street Journal (see: Google Forced to Reveal Exposure of Private Data).

The latest data exposure couldn't come at a worse time for the search firm because lawmakers and regulators are increasing their scrutiny of the security and data collection practices of technology giants, including Facebook, Twitter as well as Google.

But Google's quick notification shows it may have learned a lesson after its experience with the first exposure involving Google+, says Stephan Chenette, CTO of security vendor AttackIQ, which develops a threat-monitoring platform.

"Companies with repeated security incidents tend to lose even more public trust as it demonstrates a failure to learn from previous mistakes," Chenette says. "However, compared to Google's last breach, the company disclosed this bug much sooner and is trying to be more transparent."

Exposure Lasted Six Days

The latest Google+ problem exposed personal data that users had intended for only their friends to see - including their physical address, relationship status, birthdate and employer - to app developers. Google has released a full list of the exposed data collected by its People API.

Some of the types of data supplied by Google's People API for Google+, which the search giant says inadvertently exposed user data to app developers (Source: Google)

Even worse, the same kind of data was exposed for those people's connections, many of whom would likely have never consented to the permissions demanded by the app that their friends were using.

The exposure lasted six days, David Thacker, vice president of product management for G Suite, writes in a blog post. "No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way," he writes.

Financial data, national ID numbers, passwords or similar data that could be used for fraud was not exposed, he adds.

Google+ Shutdown Accelerated

The exposure occurred due to a bug in the Google+ People API, which developers who create apps that are compatible with the social network can access. Calling on the API allows app developers to pull data from a user's profile and see what kind of a content that user has indicated that they enjoyed or re-shared.

Thacker says that Google is contacting consumers and enterprises about the latest data exposure. But it remains unclear if Google plans to notify regulators. Reached for comment, a Google spokesman in Australia tells Information Security Media Group that the company had nothing to add, beyond what was in Thacker's blog post.

As a result of the data exposure, Google said it plans to accelerate its decommissioning of Google+, which was meant to be the search giant's alternative to Facebook but failed to gain traction.

Google will shut down all Google+ APIs within 90 days, and the entire consumer version of the service will be mothballed in April 2019, Thacker says. The time line is designed to give users enough time to transition away from Google+ and to "safely and securely download and migrate their data," he adds.

The revised timing updates Google's original shutdown plan, announced two months ago - when it first admitted to having exposed data via the same API - which was to deactivate Google+ by August 2019.

Google has said that its decision has been driven by poor consumer uptake and use of Google+. But it plans to continue offering an enterprise version of the social network.

Google failed to disclose the March data exposure, which involved 500,000 accounts, until it was queried about the episode by the Wall Street Journal. The publication reported that internal Google communications showed that the company was concerned about regulatory scrutiny and reputational damage if it went public with the Google+ security problems.

Subsequently, Google admitted that the initial API bug had been discovered and patched in March. But the technology giant has said it's unable to calculate exactly how many accounts might have been affected, because it was only keeping relevant logs for two weeks. Based on a two-week sampling period, however, Google estimated that 500,000 Google+ users were affected and that 438 apps for Google+ had access to the People API.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.