According to a report out this morning, “hundreds of thousands” of users of Google+ had their data exposed to third-party developers back in March. The company decided not to disclose the breach “because of fears that doing so would draw regulatory scrutiny and cause reputational damage,” the WSJ reports.
Half a million profiles. In the wake of the report, Google posted that the breach or potential breach resulted from a bug in an API. The company said, “the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API.” However, Google contends that there’s no evidence that profile data was misused.
The exposed profile data included names, email, demographic information and other profile data. Google also said it would shutter the consumer version of Google+. However, it will maintain a version of the site as an enterprise communication tool; it’s also used internally at Google.
Google rolled out Google+ in 2011 as a direct challenge to Facebook. It was a kind of successor to an earlier social effort called Buzz, which itself suffered a major privacy controversy and caused a Federal Trade Commission settlement resulting in privacy audits for 20 years.
Google+ evolved several times but never really took hold. Google+ underwent numerous changes and updates over the roughly seven years of its existence. However, it was never really able to develop into a self-sustaining social network to rival Facebook, Instagram or Pinterest.
Monday in its blog post justifying the decision to close the consumer version of Google+, the company said, “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.” There will be a 10-month transition and final closure will happen in August 2019.
Google also said, more broadly, that it was going to strengthen consumer control over data shared with app developers.
What matters to marketers. Since most marketers weren’t relying on Google+ heavily, its closure isn’t going to have a significant impact. However, this breach has to be seen in the larger context of what’s going on more generally with data privacy and security. Google and Apple are both now giving users more control over their data and the ability to limit what third parties can access.
That trend should only continue. And this incident will likely add more fuel to the privacy debate and accelerate the call for comprehensive federal regulation to preempt any new local privacy and data security laws, as states seek to take action against such data breaches.
Take a look back at how Google+ once influenced Google search results on our sister site Search Engine Land.
Postscript: Google disputed the characterization of the event as “data breach” and provided the following comment:
Every year, we send millions of notifications to users about privacy and security bugs and issues. Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met here.
The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.