Google has decided to ‘sunset’ the consumer version of Google+ and its APIs much earlier than planned after a second bug was found to have revealed millions of customers’ private data to software developers.
In October, the company announced it would phase out the consumer version of Google+ due to the “significant challenges involved in maintaining a successful product that meets consumers’ expectations, as well as the platform’s low usage.”
This process will now be expedited after Google recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API.
A Google spokesperson said: “We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.
“With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognise there are implications for developers, we want to ensure the protection of our users.”
Google said its investigation into the impact of the bug is ongoing, but it confirmed that the it impacted approximately 52.5 million users in connection with a Google+ API.
With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile – like their name, email address, occupation, age – were granted permission to view profile information about that user even when set to not-public.
In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft, according to Google.
It added that no third-party compromised its systems, and it has no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.
The spokesperson said: “We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug. Our investigation is ongoing as to any potential impact to other Google+ APIs.
“We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.”