Two months after disclosing an error that exposed the private profile data of almost 500,000 Google+ users, Google on Monday revealed a new leak that affects more than 52 million people. The programming interface bug allowed developers to access names, ages, email addresses, occupations, and a wealth of other personal details even when they were set to be nonpublic.
The bug was introduced in a release that went live at an undisclosed date in November and was fixed a week later, Google officials said in a blog post. During the time the bug was active, developers of apps that requested permission to view profile information that a user had added to their Google+ profile received permission to view profile information about that user even when the details were set to not-public. What’s more, apps with access to users’ Google+ profile data had permission to access non-public profile data that other Google+ users shared with the consenting user. In all, the post said, 52.5 million users are affected.
“The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft,” Monday’s post said. “No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.”
Google said it was in the process of notifying consumer users who were affected. The post also said that Google is notifying affected enterprise customers by contacting administrators and sending them a list of affected users. Monday’s post didn’t say how many of the affected users were consumers versus enterprise customers.
The leak Google disclosed in October exposed non-public profile data from 2015 to 2018. It, too, was the result of a programming interface bug. Google said at the time that it would shut down the Google+ social networking service to consumers because of the “significant challenges” it faced in meeting users’ privacy expectations. Google also said at the time that it planned to gradually wind down the service to consumers over a 10-month period to give them a lengthy window to transition to other services.
On Monday, Google said it planned to expedite the closure from August 2019 to April. Google said it still planned to give users the opportunity to transition off of consumer Google+ and would provide them with information on ways to safely and securely download their data and move it to other services, if wanted.
While Google said it had no evidence either data leak was actively exploited, it has no way of assuring users that developers haven’t accessed the profile data that was supposed to be non-public. That means users should assume all profile data of this type is now in the public domain, regardless of how they had set up their permissions. The best way for users to protect themselves is to remove all data from profiles, close the accounts, and manually remove the Google+ app from their devices as soon as possible.