Google has reported another data breach affecting users of its social media platform Google+, and this time the numbers are a lot bigger.
Google had reported that a security flaw had allowed hackers to access 500,000 users’ passwords and other sensitive information. Now the company says that due to a flaw in a recent update, account information marked as private was available for developers with Google+ APIs to access.
The data breach is similar to a flaw that allowed Cambridge Analytica to improperly access Facebook user data, but Google says there is no evidence any developers downloaded the data.
For anyone who wants to delete their Goggle+ account immediately, Google has created a handy guide. Company execs wrote in a blog post that it would shut down all Google+ activities within 90 days.
We’ve recently determined that some users were impacted by a software update introduced in November that contained a bug affecting a Google+ API. We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.
With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs; this will occur within the next 90 days. In addition, we have also decided to accelerate the sunsetting of consumer Google+ from August 2019 to April 2019. While we recognize there are implications for developers, we want to ensure the protection of our users.
However, Google wants to keep its Google+ offerings for enterprise customers as part of its G Suite product line.
We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.
G Suite administrators are always in control of their users’ apps. This ensures that G Suite users can give access only to apps that have been vetted and are trusted by their organization. In addition, we want to reiterate that we will continue to invest in Google+ for enterprise. More details were announced in October.
We understand that our ability to build reliable products that protect your data drives user trust. We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls, and engage with users, researchers, and policymakers to get their feedback and improve our programs. We will never stop our work to build privacy protections that work for everyone.
This new disclosure comes as Google CEO Sundar Pichai is set to speak to members of Congress, prompting some to question the timing of the announcement. The previous Google+ data breach wasn’t reported until T he Wall Street Journal broke the story.
The company became aware of the security breach in the spring, but didn’t make an announcement until Oct. 8.
Chief Executive Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, the people said.
The planned closure of Google+ is part of a broader review of privacy practices by Google that has determined the company needs tighter controls on several major products, the people said. In an announcement Monday, the company is expected to say it is curtailing the access it gives outside developers to user data on Android smartphones and Gmail, the people said.
Waiting to disclose the breach to users was a move designed to avoid damage to its image—and increased rules by government agencies.
Others are questioning Google’s ability to safeguard consumer data.
While a profile breach might be seen as less catastrophic of a system breach, the incident places serious concern around Google’s current security practices for the dying social network.
As a result of the breach, Google announced that it will be shutting down Google+ earlier than originally planned with a new final date of April 2019, which is four months ahead of its announced schedule. But why take the time and wait to have your data removed from Google’s servers? When a company loses information twice in only a few months and subjects over 52.5 million to the incidents, it might be wise to abandon ship before you go down with it.
Google has acknowledged the platform has a poor track record—but it asserts that company executives prioritize security.
“We understand that our ability to build reliable products that protect your data drives user trust,” David Thacker, Google’s vice president of product management, said in a statement Monday. “We have always taken this seriously, and we continue to invest in our privacy programs to refine internal privacy review processes, create powerful data controls and engage with users, researchers, and policymakers to get their feedback and improve our programs.”
Others say this kind of security risk is just part of living in the modern world, and they credit Google with a quick response to this latest security flaw.
“This didn’t impact passwords or financial data, but it did give the ability to extract large amounts of information like email addresses and profile data,” says David Kennedy, CEO of the penetration testing and incident response consultancy TrustedSec. “Issues like these, which have direct security implications, reflect the world we live in today with agile development. The whole goal is to get code and features out to customers faster, but with that comes the risk of exposure and introducing something like this.”
Kennedy also points out that Google’s quick detection is heartening, because it means the company is still actively testing security on Google+ even in its final days. After the incidents revealed in October, though, it seems like the least the company can do.
Announcing leak after leak is nonetheless damaging for any company’s reputation, and even internet blue chips like Google aren’t immune.
On Twitter, users shared their disdain:
Remember when Google said it was going to shut down Google+ because data leaked from 500,000 accounts? Yeah, now the company has announced that data from 50 MILLION users has been exposed. https://t.co/t90CIeCPyt
— Andrea Valdez (@andreamvaldez) December 10, 2018
— Michelle Ray (@GaltsGirl) December 10, 2018
What do you think of Google’s crisis response efforts, PR Daily readers?