In March 2018, a data breach was discovered on the Google+ API. Google didn’t disclose the data breach affecting thousands of users back then. The data breach, affecting up to half a million users, included full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status. Google’s analysis showed that up to 438 applications may have used Google+ API. The data breach was disclosed this week, 6 months after.
The bug on Google+ API
Users can grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API. The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public. This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender, and age. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
Ben Smith, Google Fellow and Vice President of Engineering
We discovered and immediately patched this bug in March 2018. We believe it occurred after launch as a result of the API’s interaction with a subsequent Google+ code change.
Google is shutting down Google+ for consumers
Google said this week is shutting down Google+ for consumers. Google says Google+, created in 2011, didn’t achieve broad consumer or developer adoption and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
Google+ will be available only as an enterprise product where co-workers can engage in internal discussions on a corporate social network. Google will focus on the enterprise business with the Google+ product.