Google Reveals a New Google+ Data Breach and a New Shutdown Date

Google+ Security Bug

In early 2018, Google launched what it called Project Strobe – a thorough review of how third-party apps and consumers engage with the search engine giant's services. After carefully poking through Google+, Mountain View's engineers found out that 'there are significant challenges in creating and maintaining a successful Google+ product that meets consumers' expectations' and that 'Google+ currently has low usage and engagement.' Translated from corporate speak, this means that people don't use Google+ because they don't like it. In October, Google gave users another reason not to like Google+.

Bug #1 and Google+'s predictable end

The Silicon Valley behemoth announced that it had found a bug in one of the social network's APIs. It was discovered and fixed in March, it affected about half a million people, and it let third-party apps read information that wasn't supposed to be visible to the outside world. While security blunders are always embarrassing, especially for big companies like Google, this particular bug wasn't that scary. For one, the potentially exposed information wasn't that sensitive. More importantly, Google noted that there was no evidence of developers actively exploiting the vulnerability. Despite the relatively low severity, the security hole likely helped Google realize that trying to keep Google+ going isn't worth it, and it was announced that it would slowly wind down the social network's operation, shutting it down completely in August next year.

As we mentioned back then, not many people were grieving the loss. Some were unhappy, though. They were angry with Google for keeping the bug a secret for seven months, and they even called for regulators to look into it. This didn't happen, however, and because the potential impact was relatively low, the whole thing blew over quite quickly.

A déjà vu moment

On Monday, Google announced another bug that might keep people hot under their collar for a bit longer. The story was more or less the same. An update applied in November introduced a bug in one of the APIs which gave third-party app developers access to user information that had been set as "not-public." The exposed records included name, email address, age, occupation, date of birth, gender, etc. Once again, the users' financial and login data was not affected, and once again, Google found no evidence of anyone exploiting the bug.

There were a couple of differences, though. Vulnerable individuals gave third-party applications permission to read some of their public data, and by doing so, they inadvertently exposed not only their own private information but also that of the profiles in their so-called "circles." This is one of the reasons why with the second security hole, the potential damage was much, much more serious. The personal data of a whopping 52.5 million users was at risk. That's 100 times more than the potential victims of March's vulnerability.

Google doesn't want to wait any longer

November's security hole has prompted Google to change its plans a bit. Apparently, the people calling the shots don't want to wait for a third bug that could turn out to be even more catastrophic, which is why they are speeding up Google+'s demise. The shutdown date has been pulled from August 2019 to April 2019, and within the next 90 days, all of Google+'s APIs will be disabled.

In four months, your Google+ profile will be gone for good, but unless you are one of the not many people that use it actively, you might as well get rid of it now. You can find all the information on how to do that in our step-by-step guide.

The decision to put the Google+ project to rest was probably long in the making, but the two security holes that were disclosed in just as many months certainly accelerated the process. The positive thing is, no bugs were exploited by the bad guys. Let's hope it stays that way for the remaining four months.

December 12, 2018

Leave a Reply