Google data breach: Google+ is shutting down after 500k accounts were compromised, and the company is introducing more controls over Gmail, and how third-party app collect user data on Android
Google has confirmed that it is shutting down Google +, a social network that was launched to rival Facebook but failed to make an impact. However, the big news is not that Google+ is finally shutting down, which seemed inevitable, but that Google hid a data breach that has compromised nearly 500,000 accounts.
According to a Wall Street Journal report, Google found the data breach in Plus in March 2018, though the software bug existed since 2015. The company also decided against reporting the incident because it “trigger immediate regulatory interest”, adds the report. WSJ is quoting from an internal memo that was reviewed by Google’s legal and policy team and took the decision not to report the breach. CEO Sundar Pichai was in the loop on this decision.
The report highlights that Google was worried that making this data breach public would lead to comparisons with Facebook and the Cambridge Analytica Scandal.
Google+ data breach: What happened?
The big takeaway for now is that Google+ is shutting down, but only the consumer version. An enterprise version will continue to exist. A review of APIs associated with Google+ revealed serious security flaws, and one bug in particular granted app developers access to user profile fields, which were not marked as public.
Essentially data which was supposed to be limited to friends and circles, could also be accessed by some app developers. In their Google+ profile, users can grant access to their Profile data and public profile information of their friends to Google+ apps. The software bug was found in one of the Google+ People APIs.
While Google insists that 90 per cent of Google+ user sessions are less than five seconds, the problem is that everyone with a Gmail or Google account automatically has a G+ account. Many users might not even remember they have a G+ account.
Google claims this data is just Profile fields like name, email address, occupation, gender and age. It insists that other data that users posted to Google+ or any other service has not been leaked like Google+ posts, messages, Google account data, phone numbers or G Suite content.
The company admits they found the bug in March 2018, but says they found no misuse of the data by app developers.
Google data breach: How many users are impacted?
Google admits that with this particular API, they only kept the log data for two weeks, which means they cannot confirm the user accounts impacted by this bug. Estimates from the company claims profiles of up to 500,000 Google+ accounts were potentially affected, notes the company.
Close to 438 applications may have used this API. Google also insists there is no “evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused,” according to the blog.
The company insists that its “Privacy & Data Protection Office” has also reviewed the problem and found no evidence of misuse. Once again since Google is not even sure which accounts were impacted, users might not be even know if their account was compromised.
Google has not even named the apps using this data to give users a clearer view of the whole situation.
So why is Google+ shutting down?
Google claims that their review highlighted there are major challenges in maintaining their ‘social network’, and that because of the low usage, they have decided to end the consumer version of site.
Google+ will start winding it down over 10-month period, which will be completed by August 2019. Consumers will be given more information on how they can download and migrate their data. Google+ also has an enterprise version, and the company claims it is better.
“We’ve decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses,” notes the blog post.
No comments:
Post a Comment
Thanks!