Google+ continues to sink with a second massive data breach
The company is currently notifying impacted users about the exposureEuropost
Just two months ago Google announced it would shut down its social network Google+ in August 2019, because the company had discovered a software glitch in Google+ that affected up to 500,000 accounts'data. Maybe it should have pulled the plug sooner.
On Monday, the company announced that an additional bug in a Google+ API, part of a November 7 software update, exposed user data from more than 52.5m accounts. Google found the flaw, and corrected it by November 13, which means that app developers would have had improper user data access for six days. In a blog post, however, Google tried to calm thing down by saying it doesn't have any evidence the data was misused during that time, or that Google+ was compromised by a third party. But its a fact that the company is now moving up Google+'s termination date to April, and it will cut off access to Google+ APIs in 90 days.
"Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue," David Thacker, Google's vice president of product management, wrote in a blog post on Monday. "We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. ... We want to give users ample opportunity to transition off of consumer Google+."
The bug exposed Google+ profile data that a user hadn't made public - things like name, age, email address, and occupation - as well as some profile data shared privately between users that shouldn't have been accessible. Fortunately, the flaw did not expose financial data, passwords, or any other identifiers like Social Security numbers.
The announcement comes as Google has slogged through a series of prominent privacy and data management gaffes. And while the company's response to this Google+ exposure was quick and thorough, Google has had ample practice on privacy incident response this year alone.
"This didn't impact passwords or financial data, but it did give the ability to extract large amounts of information like email addresses and profile data," says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. "Issues like these, which have direct security implications, reflect the world we live in today with agile development. The whole goal is to get code and features out to customers faster, but with that comes the risk of exposure and introducing something like this."
Kennedy also points out that Google's quick detection is heartening, because it means the company is still actively testing security on Google+ even in its final days. After the incidents revealed in October, though, it seems like the least the company can do.