A couple of months ago, Google announced they will sunset their product Google Plus. The reasons behind this harsh decision included low user engagement and a vulnerability that resulted in a data breach. At that time, they scheduled the Google+ sunset for August 2019. However, as disclosed in a recent blog post, Google has dragged the Google+ shut down date to April 2019 following another data breach.
Earlier this week, Google announced acceleration in sunsetting Google Plus. As disclosed in the blog post by David Thacker, VP, Product Management, G Suite, a vulnerability in the Google+ API that allegedly exposed users’ data compelled them to change the previously planned Google+ shut down date.
According to Thacker, the bug allegedly arose in the Google+ API after a software update in November. Officials noticed the bug during their standard testing procedures. Reportedly, the vulnerability affected around 52.5 million users exposing their profile details. Regarding the extent of damage caused by this vulnerability, Thacker stated,
“With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile — like their name, email address, occupation, age — were granted permission to view profile information about that user even when set to not-public… In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.”
Consequently, Google decided to utilise an earlier shut down, changing the scheduled sunset from August 2019 to April 2019. They have also set a 90-day deadline to sunset all Google+ APIs.
Google revealed that they are still in the middle of their investigations regarding the breach. For now, they, however, assure that the exposed data did not include any sensitive details.
“The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.”
Besides, they also confirm that no third party could exploit the bug to access the data during the entire one-week period. Nor did any developer have inadvertent access misuse it during the said period.
Google has begun informing the affected users about the breach. In addition, with regards to their enterprise customers, they once again pledge to continue their services. Moreover, they also continue investigating for any enterprise users potentially impacted by this incident.