Google has decided to shut down consumer use of its Google+ social network after an internal privacy review discovered a flaw that exposed non-public profile data through its API, the company announced Monday.
Discovered in March, Google found that a flaw in its Google+ People API exposed data including name, email address, occupation, gender and age. The company said it doesn’t have a concrete number on how many people were affected because the API log data is only kept for two weeks at a time. However, during a two-week testing period before the company closed the bug, profiles of up to 500,000 Google+ accounts were potentially affected, and up to 438 applications may have used the API, Google said.
“We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused,” a Google blog post reads.
Despite finding the bug in March, the company has only made the exposure public as Monday. The company states in the blog post that its privacy office examined the type of data involved, whether it could inform users, evidence of misuse, and if developers or users could do anything in response.
“None of these thresholds were met in this instance,” the company states.
Google launched Google+ in 2011 as an attempt to start its own social network to compete with Facebook and Twitter. At its height in 2012, the service had more than 90 million users. However, the service floundered in comparison to its rivals and the company changed the product’s focus in 2015.
The privacy review that discovered the flaw, known as Project Strobe, also resulted in Google changing a number of permissions with regards to how users grant permission to how apps collect data. The company is also launching more granular Google Account permissions, limiting apps’ access consumer data within the company’s email products, and mobile apps’ ability to receive Call Log and SMS permissions on Android devices.
The data exposure comes as big time social networking companies have had security incidents of their own. Last month, Twitter announced an API flaw inadvertently leaked sensitive data to other developers, including direct messages and protected tweets. A week later, Facebook disclosed a bug that allowed for attackers to steal digital access tokens.
This is a developing story. It will be updated as information becomes available.