Google Plus logo zoomed in


Google+ to shut down following disclosure of security vulnerability

Google discovered the breach back in March but chose not to disclose it.


Christina Bonnington


Facebook isn’t the only technological giant to have breached users’ trust and privacy. Google just announced that it’s shuttering its social network Google+ after leaving user data vulnerable to abuse by outside developers.

Months after Facebook announced that user data had been accessed inappropriately via political data firm Cambridge Analytica, Google confirmed that hundreds of thousands of Google+ users’ data was exposed in a software glitch. Perhaps even worse than the security issue itself is how Google handled the incident. After discovering the issue earlier this spring, the Wall Street Journal reports, Google decided not to disclose the issue “in part because of fears that doing so would draw regulatory scrutiny and cause reputational damage.”

Much like Facebook’s Cambridge Analytica scandal, the Google+ incident involved third-party developers potentially having access to users’ profile data. This lasted from 2015 to March 2018, when the issue was discovered and fixed. An internal memo shared with senior executives and viewed by the Wall Street Journal said that if the company disclosed the vulnerability, it could spark “immediate regulatory interest.” In order to prevent snowballing with Facebook’s security woes, Google stayed silent on the issue until now.

Alphabet, Google’s parent company, has now completely shut down all consumer-side functionality of the social network. Thus far, there seem to be no signs of abuse, on top of the fact that Google+ has been a ghost town for years. As some Twitter users have rightfully pointed out, Google tried to downplay this fact in the past but now admits that “90 percent of Google+ user sessions are less than five seconds.”

“Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice,” a Google spokesperson told the Wall Street Journal. The company considered “whether [it] could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.”

The company concluded that none of these thresholds were met, so it chose not to disclose the vulnerability.

Google detailed in a post Monday that it formed a 100-person-strong task force earlier this year called Project Strobe to review third-party access to Google application programming interfaces and services. The unit discovered the Google+ bug, which could affect as many as 500,000 users, including G Suite customers such as schools and businesses. Unfortunately, due to limited activity logs, the investigators were unable to determine exactly who may have been affected and what kinds of data may have been exposed to third-party developers. More than 400 applications may have had access to this data.

Google could now face repercussions such as increased government regulation or class action lawsuits over its failure to disclose this issue in a more timely fashion. For more information on the incident, visit Google’s blog post here.

H/T Wall Street Journal

Share this article

*First Published:

The Daily Dot