2018 Google data breach

A photograph of Vic Gundotra.
Vic Gundotra, Google+ lead at the time of the leaks.

The 2018 Google data breach was a major data privacy scandal in which the Google+ API exposed the private data of over five hundred thousand users.[1]

Google+ managers first noticed harvesting of personal data in March 2018,[2] during a review following the Facebook–Cambridge Analytica data scandal. The bug, despite having been fixed immediately, exposed the private data of approximately 500,000 Google+ users to the public.[3] Google did not reveal the leak to the network's users.[4] In November 2018, another data breach occurred following an update to the Google+ API. Although Google found no evidence of failure, approximately 52.5 million personal profiles were potentially exposed.[5] In August 2019, Google declared a shutdown of Google+ due to low use and technological challenges.[6][7][8]

Overview of Google+

Google+ was launched in June 2011 as an invite-only social network,[9] but was opened for public access later in the year. It was managed by Vic Gundotra.[10]

Similar to Facebook, Google+ also included key features Circles, Hangouts and Sparks.

  • Circles let users personalize their social groups by sorting friends into different categories. Once allowed into a Circle, users could regulate information in their individual spaces.[11]
  • Hangouts included video chatting and instant messaging between users.[12]
  • Sparks allowed Google to track users' past searches to find news and content related to their interests.[13]

Google+ was linked to other Google services, such as YouTube, Google Drive and Gmail, giving it access to roughly 2 billion user accounts.[14] However, less than 400 million consumers actively used Google+, with 90% of those users using it for less than five seconds.[15]

The breaches

In March 2018, Google developers found a data breach within the Google+ People API in which external apps acquired access to Profile fields that were not marked as public.[3] 500,000 Google+ accounts were included in the breach, which allowed 438 external apps unauthorized access to private users' names, emails, addresses, occupations, genders and ages.[3] This information was available between 2015 and 2018.[16] Google found no evidence of any user's personal information being misused, nor that any third-party app developers were aware of the leak.

In November 2018, a software update created another data breach within the Google+ API. The bug impacted 52.5 million users,[17] where, similarly to the March breach, unauthorized apps were able to access Google+ profiles, including users' names, email addresses, occupations and ages. Apps could not access financial information, national identification, numbers, or passwords. Blog posts, messages and phone numbers also remained inaccessible if marked as private. Unlike the previous breach, access was only available for six days before Google+ learned of the breach. Once more, Google+ found no evidence data being misused by third-party developers.

Responses

In October 2018, the Wall Street Journal published an article outlining the initial breach and Google's decision to not disclose it to users.[18] At the time, there was no federal law that required Google to inform their consumers of data breaches. Google+ originally did not disclose the breach out of fears of being compared to Facebook's recent data leak and subsequent loss of consumer confidence.[4] In response to the Wall Street Journal article, Google announced the shutdown of Google+ in August 2019.[19] After the second data leak, the date was moved to April 2019.[20] In response to the data breach, enterprise consumers were notified of the bug's impact and given instructions on how to save, download and delete their data prior to the Google+ shut down. Google's Privacy and Data Protection Office found no misuse of user data.

Prior to the Google+ shutdown, Google set a 10-month period in which users could download and migrate their data. After the 10-month period, user content was deleted. On 4 February 2019, consumers were no longer able to create new Google+ profiles.[21] Google shut down Google+ APIs on 7 March 2019 to ensure that developers did not continue to rely on the APIs prior to the Google+ shutdown.[7][16]

Google is the principal entity of its parent company, Alphabet Inc. After the data breach, Alphabet Inc. share prices fell by 1% to $1,157.06 on 9 October 2018 after an earlier drop of $1,135.40 that morning, the lowest price since 5 July 2018.[22] After the publication of The Wall Street Journal article, share prices dropped as low as 2.1% in two days on 10 October 2018. Share prices steadily increased from this point and met the 8 October 2018 share price on 5 February 2019.[23]

Google planned to rebuild Google+ as a corporate enterprise network.[24] Google Play will now assess which apps can ask for permission to access the user's SMS data. Only the default app for telephone distribution is able to make requests. Prior to the data breaches, apps were able to request access to all of a consumer's data simultaneously. Now, each app must request permission for each aspect of a consumer's profile.

References

  1. ^ Snider, Mike (1 February 2019). "Google sets April 2 closing date for Google+, download your photos and content before then". USA TODAY. Retrieved 12 May 2019.
  2. ^ Newman, Lily Hay (12 October 2018). "A New Google+ Blunder Exposed Data From 52.5 Million Users". Wired. ISSN 1059-1028. Retrieved 12 May 2019.
  3. ^ a b c "Flaw leads to Google+ shutting down". Network Security. 2018 (10): 3. 2018. doi:10.1016/S1353-4858(18)30095-3. S2CID 240102979.
  4. ^ a b MacMillan, Douglas; McMillan, Robert (8 October 2018). "Google Exposed User Data, Feared Repercussions of Disclosing to Public". Wall Street Journal. ISSN 0099-9660. Retrieved 12 May 2019.
  5. ^ Romm, Tony; Timberg, Craig (10 December 2018). "New Google+ security bug could affect more than 52 million users". The Washington Post.
  6. ^ Thacker, David (10 December 2018). "Expediting changes to Google+". Google. Retrieved 12 May 2019.
  7. ^ a b "Google+ API Shutdown | Google+ Platform". Google Developers. Retrieved 14 May 2019.
  8. ^ "Google's social network is closing". New Scientist. 240 (3199): 4. 2018. doi:10.1016/S0262-4079(18)31819-0. S2CID 240126196.
  9. ^ Fox, Chris (2 April 2019). "Google shuts failed social network Google+". BBC News.
  10. ^ Dieter, Daniel (11 November 2018). "Google+ Case Study: Create a Social Network or Risk Everything". Performance Improvement. 57 (10): 26–36. doi:10.1002/pfi.21826. S2CID 69571511.
  11. ^ Ovadia, Steven (5 December 2011). "An Early Introduction to the Google+ Social Networking Project". Behavioral & Social Sciences Librarian. 30 (4): 259–263. doi:10.1080/01639269.2011.622258. S2CID 62551198.
  12. ^ Golbeck, Jennifer (2015). "Google+". Introduction to Social Media Investigation. pp. 137–149. doi:10.1016/B978-0-12-801656-5.00013-5. ISBN 9780128016565.
  13. ^ Perez, Sarah (November 2018). "Looking back at Google+". TechCrunch. Retrieved 12 May 2019.
  14. ^ "Google+ social media service to shut down after private data of at least 500,000 users exposed". ABC News. 9 October 2018.
  15. ^ Ganjoo, Shweta. "Former Google+ designer explains why Google's social media play failed: it was mostly office politics". India Today. Retrieved 12 May 2019.
  16. ^ a b Burton, Winston (25 October 2018). "Google Plus: Past, Present & Future". Search Engine Journal.
  17. ^ "Expediting changes to Google+". Google. 10 December 2018. Retrieved 12 May 2019.
  18. ^ McMillan, Douglas MacMillan and Robert (2018-10-08). "Google Exposed User Data, Feared Repercussions of Disclosing to Public". Wall Street Journal. ISSN 0099-9660. Retrieved 2021-12-05.
  19. ^ Smith, Ben (8 October 2018). "Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+". Google Blog. Retrieved 12 May 2019.
  20. ^ "Frequently asked questions about the Google+ shutdown - Google+ Help". support.google.com. Retrieved 12 May 2019.
  21. ^ Nelson, Alex (7 February 2019). "Google+ shutdown: how to back up photos and data before your account closes". inews.co.uk. Retrieved 12 May 2019.
  22. ^ De Vynck, Gerrit; Nix, Naomi (9 October 2018). "Google Discloses Privacy Security Flaw Kept Quiet Since March". Bloomberg.
  23. ^ Aitken, Roger. "Alphabet 'In The Soup' Over Costs, But Analysts' Average Google Price Target $1,346". Forbes.
  24. ^ "Currents: Have Meaningful Discussions at Work | G Suite". gsuite.google.com. Retrieved 12 May 2019.