Another week, another data breach. But this time, it wasn't Facebook we were all talking about.
What happened?
Earlier this week, Google said the private information of as many as 500,000 users of its Google+ social network may have been exposed by a bug it discovered - and quietly fixed - last year. A developer API was found to be able to see information it shouldn't, namely fields that were not marked public.
What exactly does that mean?
According to Google, users could grant access to profile data and the public profile information of their friends through the API. But the bug gave the API access to profile fields that were shared with the user, but not marked as public. That includes friends email addresses, occupation, gender and age, but not things like Google+ posts, messages, Google account data, phone numbers or G Suite content. So when users granted access to the API, it also got access to friends’ information.
What did Google do?
Ironically, it was around the same time that Facebook was facing the Cambridge Analytica story. Google fixed the bug and said nothing, noting that it would bring a lot of unwanted attention to the company. But when the story broke this week, it sprang into action - and said it would be shutting down consumer access to Google+, and giving users more detailed security controls.
Google+ still existed?
Yes. That bit may have been news to everyone else too. But it turns out very few people were actually using it for any length of time. According to Google, engagement was very low, so it was probably an easy decision to finally throw in the towel.
How does it affect me?
Only a little over 430 developers actually applied for access to this particular API, which isn’t a huge amount of people regardless of how you look at it. But it only takes one to have malicious intentions, right? According to Google though, there is no evidence that any private data was accessed because of the bug. And there are questions about how much private data was actually on Google+ given how few people actually used it. But it’s hard to say for sure, because Google only keeps log data for this particular API for two weeks. Google wasn’t actually looking for any problems, but it says there is no evidence to suggest any of the developers using the API actually abused the bug.
Do I need to do anything?
If you have a Google+ account and want any of the data that is currently sitting on it, keep an eye out in the coming weeks. Google will be telling people how they can get their information off the social network to keep it.
it might also be worth doing a quick security check up for your Google accounts to see what information you are sharing, and consider implementing two-factor authentication to secure your account. Just in case.
What’s next?
Well, you can wait to see if your account was one of the 30 million now confirmed to be affected by Facebook’s “View As” data breach announced a couple of weeks ago. The social network said about half of those accounts had data accessed, including name and contact details, relationship status, religion, hometown, current city, birthdate, recent activity, recent check-ins, education, work, people or Pages they follow, and the 15 most recent searches. The good news is, it’s down from 50 million initially thought to be affected.
Not if you are one of the accounts affected
No, probably not.