Google recently reported that it will “sunset” Google+, an unpopular social network it launched in 2011. Google released the announcement following a report by The Wall Street Journal about a security bug in the platform’s API that may have exposed the private data of half a million users to outside developers.
The bug surfaced in the redesign of Google+ in 2015. However, Google’s security engineers only discovered the flaw as part of a security audit in March 2018. The probe found that up to 438 external applications could have exploited the flaw.
The developers of the external applications thereby accessed the “static” profile information of private Google+ users, including users’ full name, email address, gender, profile picture, job status, location, and birth date. According to Google, as many as 500,000 Google+ accounts were affected by the flaw. However, Google could not discern which users were affected.
Google claimed that it immediately patched the bug upon discovery. Nonetheless, many have criticized Google’s initial decision to not report the bug. The Irish Data Protection Commission, a supervisory authority in the EU, announced that it will request additional information.
Google+ was launched as a would-be Facebook rival in 2011. However, it failed to achieve popularity, as 90 percent of Google+ users used the platform for less than five seconds. Regardless, Google’s decision to report the shut down of Google+ immediately following The Wall Street Journal’s report may reveal that the termination was at least partly motivated by a need to avoid additional regulatory scrutiny.
Profile data security scandals have recently rocked Silicon Valley. Facebook’s Cambridge Analytica scandal surfaced the month that Google discovered the security bug. People have primarily focused on Facebook’s scandal, which revealed that the data of more than 50 million users had been stolen. But, the difference between the security bug confronted by Google and Facebook can only boil down to scale.