Google acknowledges Looker Studio sharing privacy bug
Critical vulnerability affects "Unlisted" report visibility despite privacy settings.

Google has confirmed a significant privacy vulnerability in Looker Studio that causes "Unlisted" reports to appear incorrectly in users' "Shared with me" sections, according to issue tracking documentation dated August 5, 2025. The bug fundamentally undermines the privacy expectations of the "Unlisted" sharing setting, potentially exposing sensitive business intelligence reports to unintended recipients.
The issue, designated as bug report number 436116937, was initially reported by a Supermetrics representative and has been assigned to Google's Cloud Looker Studio Engineering team. According to the tracking documentation, "This issue report has been forwarded to the Cloud Looker Studio Engineering team so that they may investigate it, but there is no ETA for a resolution today."
The vulnerability affects reports configured with "Unlisted" permissions, which are designed to be accessible only via direct links while remaining invisible in users' dashboard listings. However, the current bug causes these reports to appear in the "Shared with me" section of other users' Looker Studio interfaces, creating an unintended visibility pathway for what should be privately shared content.
The problem extends beyond simple visibility issues. Even when users set reports as public, the system incorrectly demands authentication from users attempting to access the content. This dual-layer problem creates confusion about access permissions and undermines the intended functionality of Looker Studio's sharing mechanisms.
This privacy vulnerability emerges during a period of heightened scrutiny around Google's data handling practices. Recent regulatory actions across multiple jurisdictions have highlighted concerns about how technology platforms manage user data and privacy controls. The Looker Studio bug represents a technical failure in implementing the very privacy protections that users and businesses rely upon for confidential data sharing.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
A separate but related issue compounds the privacy concerns. Google's tracking system reveals a second bug affecting unlisted data sources, documented as issue number 399387402. According to the report filed on February 26, 2025, "If I share a data source with a client as Unlisted and they accidentally Remove it from their Data Sources, it no longer shows up anywhere."
The data source problem creates operational difficulties for businesses using Looker Studio for client reporting. When unlisted data sources are removed from a user's interface, they become permanently inaccessible, with no recovery mechanism through standard trash or restoration functions. The issue description states: "Even if I re share the data source with them, it will never show up for them under Data Sources."
This creates cascading problems for shared reports. According to the documentation, when users attempt to copy reports that reference these removed data sources, "they can't see the existing data sources to know the ordering of the new data sources. It simply says 'Unknown' all the way down."
The data source bug affects business workflows where agencies and consultants share reporting infrastructure with clients. The proposed solution outlined in the issue report suggests implementing a trash or recovery system for removed shared data sources, or preventing the "Unknown" designation for unlisted data sources that have been removed from user interfaces.
These technical issues emerge against the backdrop of Google's broader evolution of Looker Studio throughout 2024 and 2025. The platform has integrated artificial intelligence features including natural language query capabilities and automated report generation, positioning itself as an increasingly sophisticated business intelligence solution.
However, the privacy bugs reveal fundamental gaps in the platform's access control mechanisms. The timing is particularly significant as businesses increasingly rely on cloud-based analytics platforms for sensitive financial and operational reporting. Recent developments in Looker Studio have emphasized advanced analytical capabilities while these core privacy functions remain compromised.
The issue affects multiple aspects of the data analytics workflow. Marketing teams using Looker Studio for campaign reporting, financial analysts sharing performance dashboards, and consulting firms providing client analytics all face potential exposure of confidential information through these sharing mechanism failures.
Google's response timeline indicates the company has acknowledged both issues but provided no definitive resolution schedule. The August 5, 2025 assignment of the primary sharing bug to the engineering team suggests active investigation, though the absence of an estimated time for resolution leaves users without guidance on when normal privacy functionality will be restored.
For organizations currently using Looker Studio, the privacy implications require immediate attention. The "Unlisted" sharing setting, previously considered a middle ground between fully private and publicly accessible reports, no longer provides reliable privacy protection. Reports intended for specific audiences through direct link sharing may now be discoverable through standard user interfaces.
The vulnerability particularly affects industries with strict data privacy requirements. Financial services firms sharing client performance reports, healthcare organizations analyzing patient data, and government agencies using Looker Studio for sensitive analytics face potential compliance implications if confidential reports become unexpectedly visible to unauthorized users.
The data source issue adds operational complexity to these privacy concerns. Businesses that rely on consistent data source availability for ongoing reporting workflows must now account for the permanent loss of shared unlisted data sources if they are accidentally removed from user interfaces.
Technical workarounds remain limited while Google investigates the issues. Organizations can migrate to "Restricted" sharing settings for sensitive reports, though this requires maintaining explicit user permission lists and may complicate existing sharing workflows that relied on the simplicity of unlisted link-based access.
The bug reports reveal the challenges of maintaining privacy controls in complex cloud-based analytics platforms. As Google has expanded Looker Studio's capabilities with enhanced audit logging and data transparency features, these fundamental access control failures highlight the ongoing difficulty of ensuring privacy mechanisms work as intended across all platform features.
Industry observers note that privacy bugs in business intelligence platforms can have far-reaching consequences beyond the immediate technical issues. Organizations that lose confidence in sharing mechanism reliability may reduce their use of cloud-based analytics tools or implement additional privacy controls that complicate collaboration workflows.
The incidents also underscore the importance of robust testing for privacy-related features in enterprise software platforms. The fact that both bugs affect core sharing functionality suggests gaps in quality assurance processes for features that directly impact user privacy expectations.
For the broader digital marketing community, these Looker Studio issues serve as a reminder of the ongoing challenges in balancing platform functionality with privacy protection. As Google continues to evolve its privacy sandbox initiatives and responds to regulatory pressures, technical implementations of privacy controls remain susceptible to bugs that can undermine user trust.
The resolution timeline for these issues will likely influence how businesses approach privacy-sensitive reporting in Google's ecosystem. Organizations may demand stronger service level agreements for privacy feature reliability or seek alternative platforms that provide more predictable access control mechanisms.
As businesses await Google's technical resolution, the incidents highlight the critical importance of understanding the privacy implications of cloud-based analytics platforms. The assumption that "Unlisted" settings provide reliable privacy protection has proven incorrect, forcing users to reassess their data sharing strategies and implement additional safeguards for sensitive business intelligence content.
Subscribe the PPC Land newsletter ✉️ for similar stories like this one. Receive the news every day in your inbox. Free of ads. 10 USD per year.
Timeline
- February 26, 2025: Initial report filed regarding unlisted data sources disappearing permanently when removed
- May 20, 2024: Looker Studio updates enhance audit logging and data source transparency
- July 13, 2024: Looker Studio gains new features and partners
- August 5, 2025: Google acknowledges Looker Studio sharing privacy bug and assigns to engineering team
- August 27, 2024: Google removes Auction Insights from Looker Studio
- September 8, 2024: Looker Studio enhances reporting with Gemini AI-powered features
- December 7, 2024: Looker Studio expands natural language capabilities with Gemini integration
- December 15, 2024: Looker Studio enhances data visualization with new features and partnerships
- July 25, 2025: Looker Studio introduces Code Interpreter for advanced data analysis
Key Terms Explained
Looker Studio: Google's cloud-based business intelligence and data visualization platform that enables organizations to create interactive reports and dashboards from various data sources. Originally launched as Google Data Studio, the platform was rebranded to Looker Studio following Google's acquisition of Looker in 2019. The service allows users to connect multiple data sources, create custom visualizations, and share reports with stakeholders through various permission levels.
Unlisted Sharing: A privacy setting in Looker Studio designed to make reports accessible only through direct links while keeping them invisible in users' standard dashboard listings. This sharing method was intended as a middle ground between fully private reports (restricted to specific users) and public reports (discoverable by anyone). The current bug compromises this functionality by making unlisted reports appear in users' "Shared with me" sections.
Privacy Vulnerability: A security weakness that compromises user privacy by allowing unauthorized access to personal or confidential information. In the context of Looker Studio, these vulnerabilities manifest as sharing mechanism failures that expose reports to unintended recipients despite configured privacy settings. Such vulnerabilities can have significant compliance implications for organizations handling sensitive data.
Data Sources: The underlying databases, spreadsheets, APIs, or other repositories that feed information into Looker Studio reports. These can include Google Analytics, Google Ads, MySQL databases, CSV files, and hundreds of third-party connectors. When data sources become inaccessible or display as "Unknown," reports lose their functionality and users cannot understand the data relationships.
Business Intelligence: The technology-driven process of analyzing business data to support decision-making through reports, dashboards, and data visualizations. Looker Studio serves as a business intelligence tool by enabling organizations to transform raw data into actionable insights. The privacy bugs affect this core functionality by compromising the secure sharing of analytical insights.
Shared with Me: A section in Looker Studio's user interface that displays reports and data sources that other users have explicitly shared with the current user. The privacy bug causes unlisted reports to appear in this section inappropriately, creating visibility for content that was intended to remain discoverable only through direct links.
Issue Tracking: Google's systematic approach to documenting, prioritizing, and resolving software bugs and feature requests through its internal tracking system. The Looker Studio privacy issues are documented with specific tracking numbers (436116937 and 399387402) that allow users to monitor resolution progress and provide additional feedback to engineering teams.
Access Control: The security mechanisms that determine who can view, edit, or share specific reports and data sources within Looker Studio. Effective access control relies on properly functioning permission settings, user authentication, and sharing mechanisms. The current bugs represent failures in these access control systems that could expose sensitive business data.
Cloud Platform: Google Cloud's infrastructure that hosts Looker Studio and provides the computational resources for data processing, visualization, and sharing. As part of Google Cloud's Data Analytics suite, Looker Studio leverages cloud scalability and integration capabilities while introducing dependencies on cloud-based security and privacy controls.
Engineering Team: Google's Cloud Looker Studio Engineering division responsible for developing, maintaining, and fixing the platform's technical functionality. This team investigates reported bugs, implements new features, and ensures the platform meets security and privacy requirements. The current privacy issues have been assigned to this team without specified resolution timelines.
Summary
Who: Google's Cloud Looker Studio Engineering team is investigating privacy bugs affecting users who share reports and data sources through the platform's "Unlisted" setting. The issues were reported by users including representatives from Supermetrics and individual users experiencing data sharing problems.
What: Two critical privacy bugs affect Looker Studio's sharing mechanisms. The first causes "Unlisted" reports to appear incorrectly in other users' "Shared with me" sections despite privacy settings. The second makes unlisted data sources permanently disappear when users accidentally remove them, with no recovery mechanism available.
When: The primary sharing bug was reported and acknowledged by Google on August 5, 2025. The data source disappearing issue was first reported on February 26, 2025. Google has not provided estimated resolution timelines for either issue.
Where: The bugs affect Google's Looker Studio platform globally, impacting organizations that rely on the cloud-based business intelligence tool for sharing sensitive reports and data sources with clients, colleagues, and stakeholders across different access permission levels.
Why: These privacy vulnerabilities matter because they undermine the fundamental security expectations of business users who rely on Looker Studio's sharing settings to control access to sensitive business intelligence data. The issues affect marketing teams, financial analysts, consulting firms, and other organizations that need reliable privacy controls for confidential reporting workflows.