Google to Kill Google Plus Due to Possible Data Breach

Google will shut down its Google Plus social-networking service after an internal audit conducted in March 2018 found that more than 400 third-party applications may have improperly gathered the personal information of nearly 500,000 users, Google said in a blog post today (Oct. 8).

Credit: Twin Design/Shutterstock

(Image credit: Twin Design/Shutterstock)

The user data included full names, dates of birth, email addresses, cities or areas of residence, genders, marital status, occupational titles, places and dates of employment, profile photos and profile-page background photos. (A full list of the data types can be seen here.) The apps were not at fault — instead, a poorly configured application programming interface (API) let them read more user information than they should have seen.

“Our analysis showed that up to 438 applications may have used this API,” wrote Google vice president of engineering Ben Smith in the Google blog post. “We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused.”

If you’re a Google Plus user — and many people don’t realize that they are, because Google signed them up automatically — you can probably rest easy. Most of the data affected matches what’s already on your Facebook and LinkedIn profiles, although we recommend keeping your date of birth private if you can. 

MORE:  What to Do After a Data Breach

Google chose not to reveal the possible data leak right away because it feared regulation and damage to its reputation, The Wall Street Journal reported today. The leak was found in the same month that Facebook’s Cambridge Analytica scandal came to light, and two months before the European Union’s GDPR regulations tightened the rules regarding possible leaks of user data.

How personal data could have leaked

Personal data could have been leaked only under certain circumstances. If you’re a Google Plus user, you can use your “About Me” page to fine-tune your own privacy settings, deciding whether each piece of personal information is kept to yourself, or is visible to your “circles” of friends, to friends of friends in “extended circles,” to the public at large or to customized groups of people.

As a result, different people can see different amounts of information about you. The problem arises when someone who can see a lot about you installs a third-party Google Plus app, which by default sees who the other Google Plus users in your friend’s Circles are.

That’s normal. But the faulty API went further — it let the third-party apps see everything about you that that user could see. That wasn’t supposed to happen.  

Say only your close friends, or “Circles,” could see your date of birth. One of your friends installs a third-party app. You don’t use this app, and in fact you’ve never even heard of it. But because someone in your Circles has installed it, it can see your date of birth, and many other piece of data you’ve chosen to keep close to the vest.

“Like the Facebook Cambridge Analytica scandal, this Google Plus data leak was not legally a ‘breach,’” wrote privacy expert and Yale Law School fellow Tiffany C. Li on Twitter. But, she added, “both incidents also highlight the privacy risks of APIs and third-party app permissions.”

This problem doesn’t happen any more because Google closed the loophole. But the company decided that it was a good enough reason to finally put Google Plus, one of the company’s biggest failures, out of its misery.

“While our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,” Smith wrote in the Google blog post. “The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.”

Google Plus will still exist as an internal networking platform for enterprises that use Google’s G Suite of business applications. But the consumer version will be wound down over more of the next year, finally ending in August 2019.

Smith said that Google was also boosting user privacy by giving Google account users more fine-grained control over what kind of personal data third-party apps access, implementing new rules about what kind of apps can access Gmail data, and limiting which Android apps can see text-message data, call logs and contact lists.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
How to delete TikTok
TikTok has rolled out a vital new security feature — here's how to use it
Latest in News
Nintendo Switch 2
Nintendo Switch 2 — 7 biggest questions that need answers at Nintendo Direct April 2
iPhone 17 Air render
iPhone 17 Air — new survey could be bad news for Apple's super thin iPhone
Segway g30lp
Segway recalls 220,000 electric scooters - what to do if yours is on the list
Samsung Galaxy S25 Ultra vs S25 Plus vs S25
Satellite messaging on Google Pixel 9 and Samsung Galaxy S25 just landed on 3 more carriers
L-R: Claude (Marco Calvani), Danny (Colman Domingo), Kate (Tina Fey) and Jack (Will Forte) have their bags packed for Netflix's "The Four Seasons"
Netflix just teased a new comedy series starring Tina Fey, Steve Carrell and Colman Domingo — and we already have a release date
back of Iris Pixel 9a
The Google Pixel 9a is lacking one of the Pixel 9’s best safety features — here’s what we know
  • terrymartingolf
    Will, it come back, and when. This is a huge mistake to drop G+, It's a great community site and it's where we users can get help from those using whatever product it is we're working with. For me, I have no use for Google without the +, I use a different website for my main mail account, I can get news just about everywhere, even if your is a little less bias than most.
    Reply