Google announced today that he closes the Google+ social network when company technicians found an API bug that may have exposed private data from certain profiles.
The company said the bug was detected in the Google+ + People API. By default, users of Google + could access their profile data in third-party applications. As with Facebook and Twitter, users of Google + could allow third-party applications to receive information from the user's public profile.
However, in a blog post, Ben Smith, Google Fellow and Vice President of Engineering, said the error allowed third-party applications to access user data that was considered private and not just public data that they were allowed to "see" Applications.
In accordance with documentation of the Google+ Profile API, the profile fields store treasures of sensitive user information such as name, email address, profession, gender, age, alias, birthday, and more.
Google said it discovered the API error in March of 2018.
"We believe this happened after a code change in Google+," Smith said. The company said there was "no indication that a developer was aware of the error or that the API was being abused." He also said that no evidence was found to show that profile data was used.
Google said it could not determine exactly which users were affected by this bug because the API was designed to keep log files for only two weeks. So the company could not have access to older data.
"However, we did a detailed analysis for the two weeks before fixing the error, and from that analysis, we found that up to 500.000 Google+ accounts were affected," Smith said. "Our analysis showed that up to 438 applications may have used this API."
An article by the Wall Street Journal that published at the same time as the blog post on Google claims that the API error is much worse and that user data may have been leaked by 2015. According to the WSJ, the error was only discovered when Googgle technicians began examining Googgle web pages for privacy leaks while preparing the company for the EU GDPR. According to the same report, Google covered the incident rather than publish it, fearing "direct consequences from regulators."
As for Google+, the company will not mourn much for it, the service has never raised the interest of users.
Smith said Google + will be terminated in the next ten months, during which service users will be able to download their data. The service will be permanently closed in August of 2019.