Upon discovering the bug, Google patched it, but opted not to disclose it to the public out of fear of regulatory pressure and unfavorable comparisons to Facebook's Cambridge Analytica privacy scandal. The compromised data were optional Google+ profile fields that included name, age, gender, occupation, and email address. The company adds that it can not confirm how many Google+ users were affected by this bug, but based on a detailed analysis it seems up to 500,000 Google+ accounts have been affected.
Smith said that when users grant permissions to access SMS, Contacts and Phone data to apps, they do so with specific use cases in mind, again indicating that the present policies have given developers overly broad access to people's information.
In the case of Google+, the glitch affected an API through which users share their profile data, and the data of their friends, with Google+ apps, Google said in the blog post.
Nevertheless, as a result of the security audit, the search giant has vowed to allow users to tightly control what data is made available to third-party applications that sync with Google accounts.
'We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused, ' Google said in a blog post. As a result all European Union data protection authorities have jurisdiction to engage with Google on the breach. Given these challenges and the very low usage of the consumer version of Google+, we chose to sunset the consumer version of Google+. "Our goal is to support a wide range of useful apps, while ensuring that everyone is confident that their data is secure".
"We are shutting down Google+ for consumers", Smith added, admitting that the product was, at best, underwhelming.
A Google spokesperson cited "significant challenges in creating and maintaining a successful Google+ that meets consumers" expectations" along with "very low usage' as the reasons for the move.
Google says that the data of half a million people was compromised, but because they only log data for two weeks, they're unable to say who was impacted.