2018 Google data breach explained

The 2018 Google data breach was a major data privacy scandal in which the Google+ API exposed the private data of over five hundred thousand users.[1]

Google+ managers first noticed harvesting of personal data in March 2018,[2] during a review following the Facebook–Cambridge Analytica data scandal. The bug, despite having been fixed immediately, exposed the private data of approximately 500,000 Google+ users to the public.[3] Google did not reveal the leak to the network's users.[4] In November 2018, another data breach occurred following an update to the Google+ API. Although Google found no evidence of failure, approximately 52.5 million personal profiles were potentially exposed.[5] In August 2019, Google declared a shutdown of Google+ due to low use and technological challenges.[6] [7] [8]

Overview of Google+

Google+ was launched in June 2011 as an invite-only social network,[9] but was opened for public access later in the year. It was managed by Vic Gundotra.[10]

Similar to Facebook, Google+ also included key features Circles, Hangouts and Sparks.

Google+ was linked to other Google services, such as YouTube, Google Drive and Gmail, giving it access to roughly 2 billion user accounts.[14] However, less than 400 million consumers actively used Google+, with 90% of those users using it for less than five seconds.[15]

The breaches

In March 2018, Google developers found a data breach within the Google+ People API in which external apps acquired access to Profile fields that were not marked as public. 500,000 Google+ accounts were included in the breach, which allowed 438 external apps unauthorized access to private users' names, emails, addresses, occupations, genders and ages. This information was available between 2015 and 2018.[16] Google found no evidence of any user's personal information being misused, nor that any third-party app developers were aware of the leak.

In November 2018, a software update created another data breach within the Google+ API. The bug impacted 52.5 million users,[17] where, similarly to the March breach, unauthorized apps were able to access Google+ profiles, including users' names, email addresses, occupations and ages. Apps could not access financial information, national identification, numbers, or passwords. Blog posts, messages and phone numbers also remained inaccessible if marked as private. Unlike the previous breach, access was only available for six days before Google+ learned of the breach. Once more, Google+ found no evidence data being misused by third-party developers.

Responses

In October 2018, the Wall Street Journal published an article outlining the initial breach and Google's decision to not disclose it to users.[18] At the time, there was no federal law that required Google to inform their consumers of data breaches. Google+ originally did not disclose the breach out of fears of being compared to Facebook's recent data leak and subsequent loss of consumer confidence. In response to the Wall Street Journal article, Google announced the shutdown of Google+ in August 2019.[19] After the second data leak, the date was moved to April 2019.[20] In response to the data breach, enterprise consumers were notified of the bug's impact and given instructions on how to save, download and delete their data prior to the Google+ shut down. Google's Privacy and Data Protection Office found no misuse of user data.

Prior to the Google+ shutdown, Google set a 10-month period in which users could download and migrate their data. After the 10-month period, user content was deleted. On 4 February 2019, consumers were no longer able to create new Google+ profiles.[21] Google shut down Google+ APIs on 7 March 2019 to ensure that developers did not continue to rely on the APIs prior to the Google+ shutdown.

Google is the principal entity of its parent company, Alphabet Inc. After the data breach, Alphabet Inc. share prices fell by 1% to $1,157.06 on 9 October 2018 after an earlier drop of $1,135.40 that morning, the lowest price since 5 July 2018.[22] After the publication of The Wall Street Journal article, share prices dropped as low as 2.1% in two days on 10 October 2018. Share prices steadily increased from this point and met the 8 October 2018 share price on 5 February 2019.[23]

Google planned to rebuild Google+ as a corporate enterprise network.[24] Google Play will now assess which apps can ask for permission to access the user's SMS data. Only the default app for telephone distribution is able to make requests. Prior to the data breaches, apps were able to request access to all of a consumer's data simultaneously. Now, each app must request permission for each aspect of a consumer's profile.

Notes and References

  1. Web site: Google sets April 2 closing date for Google+, download your photos and content before then. Snider. Mike. 1 February 2019. USA TODAY. 12 May 2019.
  2. A New Google+ Blunder Exposed Data From 52.5 Million Users. Newman. Lily Hay. 12 October 2018. Wired. 12 May 2019. 1059-1028.
  3. 10.1016/S1353-4858(18)30095-3. Flaw leads to Google+ shutting down. Network Security. 2018. 10. 3. 2018. 240102979 .
  4. News: Google Exposed User Data, Feared Repercussions of Disclosing to Public. MacMillan. Douglas. 8 October 2018. Wall Street Journal. 12 May 2019. McMillan. Robert. 0099-9660.
  5. News: New Google+ security bug could affect more than 52 million users. Romm. Tony. 10 December 2018. The Washington Post. Timberg. Craig.
  6. Web site: Thacker. David. 10 December 2018. Expediting changes to Google+. 12 May 2019. Google.
  7. Web site: Google+ API Shutdown Google+ Platform. Google Developers. 14 May 2019.
  8. 2018. Google's social network is closing. New Scientist. 240. 3199. 4. 10.1016/S0262-4079(18)31819-0. 240126196 .
  9. News: Google shuts failed social network Google+. Fox. Chris. 2 April 2019. BBC News.
  10. Dieter. Daniel. 11 November 2018. Google+ Case Study: Create a Social Network or Risk Everything. Performance Improvement. 57. 10. 26–36. 10.1002/pfi.21826. 69571511 .
  11. Ovadia. Steven. 5 December 2011. An Early Introduction to the Google+ Social Networking Project. Behavioral & Social Sciences Librarian. 30. 4. 259–263. 10.1080/01639269.2011.622258. 62551198.
  12. Book: 10.1016/B978-0-12-801656-5.00013-5. Google+. Introduction to Social Media Investigation. 137–149. 2015. Golbeck. Jennifer. 9780128016565.
  13. Web site: Looking back at Google+. Perez. Sarah. November 2018. TechCrunch. 12 May 2019.
  14. News: Google+ social media service to shut down after private data of at least 500,000 users exposed. 9 October 2018. ABC News.
  15. Web site: Former Google+ designer explains why Google's social media play failed: it was mostly office politics. Ganjoo. Shweta. India Today. 12 May 2019.
  16. Burton. Winston. 25 October 2018. Google Plus: Past, Present & Future. Search Engine Journal.
  17. Web site: Expediting changes to Google+. 10 December 2018. Google. 12 May 2019.
  18. News: McMillan. Douglas MacMillan and Robert. 2018-10-08. Google Exposed User Data, Feared Repercussions of Disclosing to Public. en-US. Wall Street Journal. 2021-12-05. 0099-9660.
  19. Web site: Smith. Ben. 8 October 2018. Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+. 12 May 2019. Google Blog.
  20. Web site: Frequently asked questions about the Google+ shutdown - Google+ Help. 12 May 2019. support.google.com.
  21. Web site: Google+ shutdown: how to back up photos and data before your account closes. Nelson. Alex. 7 February 2019. inews.co.uk. 12 May 2019.
  22. Web site: Google Discloses Privacy Security Flaw Kept Quiet Since March. De Vynck. Gerrit. Nix. Naomi. 9 October 2018. Bloomberg.
  23. Web site: Alphabet 'In The Soup' Over Costs, But Analysts' Average Google Price Target $1,346. Aitken. Roger. Forbes.
  24. Web site: Currents: Have Meaningful Discussions at Work G Suite. gsuite.google.com. 12 May 2019.