Google+ hit by second API bug impacting 52.5 million users

Adjust Comment Print

Anyone who has been affected by the data leak should be contacted by Google.

A full list of the profile data an attacker could have gained access to can be found here, and included information such as name, email address, occupation, age, skills, birthday, nickname, and more. Although he insists that there's no evidence that the bug was misused, it nonetheless could've given access to a considerable amount of data for around 52.5 million people. Now, a second data leak has surfaced, causing the company to move the shutdown up by four months.

With this new API bug, the second one since October, the company made a decision to rush the retirement of the platform to April 2019, while all Google+ APIs will shut down in the next 90 days. Nevertheless, the powers that be have apparently concluded that the site is more trouble than it's worth - and they're probably right, given the scrutiny Google is under.

Going forward, Google plans to shutter the Google+ 3rd party accessible API's in the next 90 days and eventually turn out the lights to the consumer facing portion of the platform in April 2019 instead of the August 2019 date it revealed after the first breach.

According to a Google spokesperson, the bug came to light following internal tests and was not exploited by any third-party, at least based on current evidence.

In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly. "We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced".

Back in October, a security hole in Google+'s APIs lead Google to announce it was shutting down the service.

We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.

The API in question would have allowed developers to see information that users had set to private. In that time, Google says it has no indication that any developers that did have access to the errant API "were aware of it or misused it in any way".