Google shuts down Google+ after API bug exposed details for over 500,000 users

Google announced it is shutting down the Google+ social network after the company's engineers found an API bug that might have exposed some private profile data for more than 500,000 Google+ users.

The bug was located in the Google+ People API

The company said the bug was located in the Google+ People API. By default, Google+ users can grant access to their profile data to third-party apps. Just like with Facebook and Twitter, Google+ users can also allow a third-party app to access the public profile information of a user's friends.

In a blog post, Ben Smith, Google fellow and vice president of engineering, said the bug allowed third-party apps to also gain access to users' data that was marked private, not just the public data the apps would have normally been allowed to see.

According to the Google+ Profile API documentation, profile fields can store a treasure trove of sensitive user details such as such as name, email address, occupation, gender, age, nickname, birthday, just to name a few.

The bug was patched in March 2018

Google said it discovered and immediately patched the API bug in March 2018.

"We believe it occurred after launch as a result of the API's interaction with a subsequent Google+ code change," Smith said. The company said it found "no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."

Google said it couldn't determine which users were impacted by this bug because the API was designed to keep logs for only two weeks, and it didn't have access to historical data longer than that.

"However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected," Smith said. "Our analysis showed that up to 438 applications may have used this API."

The bug might have leaked user data since 2015

A Wall Street Journal report published at the same time with Google's blog post claimed the API bug was far worse, and might have leaked user data since 2015, being only discovered when Google engineers started prodding Google sites for privacy leaks in preparation for the EU GDPR deadline. The same report claimed Google covered the incident instead of making it public, fearing "immediate regulatory interest.

Google now joins both Twitter and Facebook in disclosing a security incident in the past three weeks. Facebook was sued hours after announcing its security breach, and is facing inquiries in the EU.

As for Google+, the search giant won't miss it that much because the site never got off the ground with end users. Google said that 90 percent of all Google+ sessions don't last more than five seconds, confirming rumors that the site was more of a ghost town, when compared to Twitter and Facebook.

Google+ will retire in August 2019

Smith said Google+ would wind down over the next ten months, during which time users will be able to download or migrate their data, and the site would be permanently retired in August 2019.

In the blog post in which it announced the Google+ bug, Google also announced new privacy features for Gmail and Android users.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

Google Pixel Slate: What to expect for this Chrome OS tablet

Forget the Pixelbook successor, we may see four variations of a Chrome OS tablet for the first time from Google.

Google: Apple, your sneaky iPhone patching is endangering users

If I can find these bugs using public tools, think what baddies can do with secret ones, says Project Zero expert.

Pence: Google should end development of Dragonfly

The US vice president calls out Google for the censored Chinese search engine it is reportedly developing.

Related stories:

• DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack story
• Amazon fires employee for sharing customers' email addresses
• G Suite admins get ability to remotely lock company-owned Android devices
• Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking
• WhatsApp releases business API: Here's how you can use it TechRepublic
• WhatsApp co-founder: 'I sold my users' privacy' with Facebook acquisition CNET
• Recent wave of hijacked WhatsApp accounts traced back to voicemail hacking