A Google+ security bug gave outside developers access to the private data of hundreds of thousands of the social network’s users between 2015 and March 2018, according to a Wall Street Journal report. Google neglected to report the issue to the public, allegedly out of fear that the company would face regulations and damage to its reputation, according to sources and documents obtained by the Journal.
In a memo cited by the paper, Google’s legal and policy staff warned against disclosing the bug, fearing it would draw comparisons to Facebook’s mishandling of user data, when more than 50 million Facebook users had their personal information leaked to the data firm Cambridge Analytica.
The information exposed in the Google+ incident included full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status.
Though this incident wasn’t technically a breach—there was no hack or signs of abuse—Google has recently been at the center of a number of privacy breaches. The company was the target of a massive class action lawsuit in the U.K. after 4 million users had their personal data collected and allegedly used for targeted advertising. The lawsuit was blocked in the High Court on Monday.
The Google+ data vulnerability was discovered in March of this year during an audit of the company’s APIs, conducted by a privacy task force codenamed Project Strobe. A bug in the API could have allowed outside developers to access the data of 496,951 users who had only opted to share their private profile data with friends.
Google is expected to announce the bug on Monday, as well as its plans shut down Google+, according to the Journal.
Editor’s Note, Oct. 9, 2018: An earlier version of this story called the Google+ incident a “data breach” in a nod to the Wall Street Journal’s characterization of the issue. No suspicious activity has been reported, though, so we’ve changed that term to “bug” throughout.