Story image

52mil users affected by Google+’s second data breach

11 Dec 18

Google is bringing forward the planned shutdown of its social media platform, Google+, after 52 million users were impacted by another security breach.

A software update introduced in November contained a bug that was affecting a Google+ API.

In a statement on its site, G Suite product management VP David Thacker says the bug was discovered as part of its testing procedures and fixed within a week of its introduction.

“No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.”

Thacker says Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.

He adds that Google has begun the process of notifying consumer users and enterprise customers that were impacted by the bug and there is an ongoing investigation of the potential impact on other Google+ APIs.

This is the second breach on Google's social media platform. 

Google was accused of failing to disclose the first breach, which happened in March, potentially affecting 500,000 Google+ accounts. 

Soon after news of the breach became public, Google announced plans to shut down Google+, saying it “has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps.”

Google posted these details about the latest bug and the investigation on its site:

Testing revealed that a Google+ API was not operating as intended.

The bug was fixed and Google began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

  • We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
     
  • With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
     
  • In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
     
  • The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
     
  • No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.
Report on SingHealth breach condemns poor security practices
The 2018 Singapore SingHealth data breach was poorly managed and riddled with vulnerabilities from the start.
Tesla wants people to hack its Model 3
Tesla is offering white hat hackers what could be the chance of a lifetime – the opportunity to hack one of its Model 3 vehicles.
How to tackle cyber threats in your home
How should you start securing your devices? The company has provided tips for actions you can take across social media, home routers, TVs, and many more.
Endace joins IBM Security app exchange community
EndaceProbe Network Analytics Platform captures, indexes, and stores network traffic while hosting a variety of network security and performance monitoring applications.
Datto names new CEO as founder steps back
Austin McChord continues as a board member as the former president and COO takes over as CEO.