Google+ shut down for consumers, may have leaked data of 500,000 users

“Google+ will be shut down for all consumers by August 2019, but will continue to run for enterprise users”

Google+, the internet search giant’s last major effort at a social network, is finally being shut down for all consumers. Ben Smith, Google’s Vice President of Engineering, announced the move in a blog post that said one of the reasons for shutting down the site was low engagement among the broader internet community. However, a bigger cause of concern — for both the company and the consumers — is a Google+ bug that could have leaked the data of as many as 500,000 users. Google+ for enterprise users will continue to run as before, the company said.

All Google+ APIs will be brought under the purview of under Project Strobe, an initiative that was launched earlier this year to perform “a review of third-party developer access to Google account and Android device data.” This review revealed a bug in one of the Google+ People APIs; this could let users give third-party apps access to their profile data as well as the public information of their friends. Due to the bug, apps could access not only the profile fields that were shared with the user but also the fields that were not marked as public. The company says the bug occurred shortly after the social website’s launch due to the “API’s interaction with a subsequent Google+ code change.” It further adds the bug was discovered in March and was immediately patched.

Google Plus Small

Google says the affected data of 500,000 users is “limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age.” Excluded from the bug’s scope are Google+ posts, messages, Google account data, phone numbers and content from G Suite.

However, a Wall Street Journal report claims Google chose to not reveal the extent of the bug’s impact due to concerns about regulations and reputational damage. The bug was discovered around the same time Facebook was weathering criticism for the Cambrige Analytica scandal.

Smith in the post said it found no evidence that any developer was aware of the bug or abused it, and that there was no evidence of misuse of any Google+ profile data. The WSJ report says hundreds of third-party developers could “potentially” have accessed private profile data, and that CEO Sundar Pichai was informed of the situation. Google says it only kept the affected API’s log data for only two weeks, and thus cannot identify which users were impacted by it. As many as 438 third-party apps may have used this API, the post said.

The Google+ shutdown will not be immediate, and users will have until August next year to download or migrate their data. More information regarding migrating their data will be provided over the next few months.

One of the biggest changes users will experience thanks to Project Strobe will be granular control over their Google account data. Smith in the post said, “Going forward, consumers will get more fine-grained control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box. For example, if a developer requests access to both calendar entries and Drive documents, you will be able to choose to share one but not the other.”


The company is also limiting the number of apps that can ask for the consumer Gmail API to the ones that “directly enhance email functionality” These include email clients, email backup services and productivity services, and even these apps will have to agree to Google’s new rules for handling Gmail data and can be made to undergo security assessments.

Android Contacts API, which gives third-party apps data such as contacts, call logs, SMS on Android devices, is also undergoing a change. Now, only apps that have been select as default for making calls or sending SMSes will be allowed this data, with an exception for voicemail and data backup apps. Apart from this, Google will do away with access to contact interaction data from the Android Contacts API over the next few months, the blog post said.