Just before Made by Google 2018, the company announced that it was shutting down Google+ for consumers after discovering a privacy bug. Google today uncovered a second issue with its social network and is expediting the deprecation as a result.
The latest bug introduced in November was in relation to the Google+ API. Namely, third-party apps that requested permission to view profile information — like name, email address, occupation, age, and more — were also inadvertently “granted permission to view profile information about that user even when set to not-public.”
In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
Approximately 52.5 million users were impacted according to Google, but the company found “no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.” Google itself discovered the issue as part of “standard and ongoing testing procedures” and fixed it within a week, adding that “no third party compromised our systems.”
Regardless, Google is moving up the planned deprecation of the consumer-facing social network. This starts with the Google+ API shutting down within the next 90 days, while Google+ will be sunset for general users on April 2019, instead of August.
Google will be communicating with parties that rely on the API in the coming days, with details available on the Google+ developer page.
Meanwhile, Google is beginning to notify consumer users and enterprise customers that were impacted, with an ongoing investigation to see if there is any potential impact to other Google+ APIs.
We are in the process of notifying any enterprise customers that were impacted by this bug. A list of impacted users in those domains is being sent to system administrators, and we will reach out again if any additional impacted users or issues are discovered.