Story image

52mil users affected by Google+’s second data breach

11 Dec 2018

Google is bringing forward the planned shutdown of its social media platform, Google+, after 52 million users were impacted by another security breach.

A software update introduced in November contained a bug that was affecting a Google+ API.

In a statement on its site, G Suite product management VP David Thacker says the bug was discovered as part of its testing procedures and fixed within a week of its introduction.

“No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

Thacker says Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.

He adds that Google has begun the process of notifying consumer users and enterprise customers that were impacted by the bug and there is an ongoing investigation of the potential impact on other Google+ APIs.

This is the second breach on Google's social media platform. 

Google was accused of failing to disclose the first breach, which happened in March, potentially affecting 500,000 Google+ accounts. 

Soon after news of the breach became public, Google announced plans to shut down Google+, saying it “has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps.”

Google posted these details about the latest bug and the investigation on its site:

Testing revealed that a Google+ API was not operating as intended.

The bug was fixed and Google began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

  • We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.  
  • With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.  
  • In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.  
  • The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.  
  • No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.
Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.