Google has admitted to a second massive bug in its Google+ social media service.
It affected 52.5 million Google+ accounts, including those of some business customers, for six days after it was introduced last month, Google said.
However, Google said in a blog post that it found no evidence that any other apps had accessed the data, such as name, email, gender and age, using the latest bug.
It says that in light of the latest flaw, it will shut down its Google+ social media service in April, four months ahead of schedule.
A report claims Google exposed the private data of hundreds of thousands of users of its Google+ social network and opted not to disclose the issue due to fears of regulatory scrutiny
‘We have begun the process of notifying consumer users and enterprise customers that were impacted by this bug,’ the firm added.
The internet giant will now focus on operating a version tailored for businesses, according to G Suite product management vice president David Thacker.
Application programming interface programs (APIs) used by developers to access Google+ data will be shut down within 90 days, according to Thacker.
‘With the discovery of this new bug, we have decided to expedite the shut-down of all Google+ APIs,’ Thacker said in a blog post.
‘While we recognize there are implications for developers, we want to ensure the protection of our users.’
A new bug introduced via a software update in November was discovered during routine testing and fixed, according to the company.
Google determined that the vulnerability affected approximately 52.5 million users, allowing applications to see profile information such as name, occupation, age and email address even if access was set to private.
‘No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,’ Thacker said.
The disclosure comes a day before Chief Executive Sundar Pichai is set to testify before the House Judiciary Committee of the U.S. Congress about Google’s data collection practices.
Some U.S. lawmakers from both major political parties have called for new privacy rules to better control Google, Facebook Inc and other large technology companies.
In October, the company said it would shut down the consumer version Google+ in August 2019 because it would be too challenging to maintain the unpopular service.
At the time, it said profile data from up to 500,000 users might have been exposed to partner apps by a bug that was present for more than two years.
Apps that pull data from Google+ to personalize their own services with user authorization will lose access in 90 days, the company said.
The disclosure comes a day before Chief Executive Sundar Pichai is set to testify before the House Judiciary Committee of the U.S. Congress about Google’s data collection practices.
Developing Google+ for business customers would remain a focus, it added.
Google first announced it is to shut down its Google+ social network after the data of 500,000 users was leaked and nobody was told in October
The tech giant has also revealed that 438 third-party apps may have had access to this data due to a ‘bug’ – in a case being compared to the Cambridge Analytica scandal that engulfed Facebook in March.
Google revealed the data breach in a statement about shutting down Google+ for consumers, seven years after its launch, citing the incident as part of the cause.
The personal information of 500,000 people using the site between 2015 and March 2018 was compromised, according to the Wall Street Journal.
But managers at the company chose not to go public with the bug because they worried that it would invite scrutiny from regulators, particularly in the wake of Facebook’s recent security bungle.
Shortly after the report was published, Google announced that it would be shutting Google+.
In the announcement, Google also announced raft of new security features for Android, Gmail and other Google platforms that it has taken as a result of the bug.
Google said it discovered the bug as part of an internal audit called Project Strobe, which was initiated earlier this year.
‘The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations,’ Ben Smith, Google’s vice president of engineering, wrote in a blog post.
‘Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.’
As a result of the breach, 496,951 users’ names, email addresses, birth dates, gender, profile photos, occupation, places they lived and relationship status were potentially exposed.
‘It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G suite content,’ Smith explained.
As many as 438 applications had access to the unauthorized Google+ data, according to the Journal.
Security and privacy experts and financial analysts questioned the decision.
‘Users have the right to be notified if their information could have been compromised,’ said Jacob Lehmann, managing director at legal firm Friedman CyZen.
‘This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal.’
A Google spokesman said: ‘Every year, we send millions of notifications to users about privacy and security bugs and issues.
‘Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice.
‘Our Privacy and Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met here.
‘The review did highlight the significant challenges in creating and maintaining a successful Google+ that meets consumers’ expectations. Given these challenges and the very low usage of the consumer version of Google+, we decided to sunset the consumer version of Google+.’
Google admitted in the blog post disclosing the bug that usage of Google+ has dropped off in recent years.
The consumer version was found to have low usage and engagement, with 90 percent of Google+ user sessions lasting fewer than five seconds, according to the firm.
‘This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps,’ Smith said.
Google will continue to operate Google+ as an enterprise product for companies.
It plans to shutdown Google+ for consumers over the course of the next 10 months, with the platform officially retiring in August 2019.
The announcement comes as public scrutiny has intensified around Silicon Valley tech giants’ management of user data, among other issues.
Google has thus far been able to defer much of the criticism to Facebook and Twitter, but the Google+ bug may thrust it further into the spotlight.
Several policies Google introduced yesterday are designed to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organizing Gmail messages.
This is a direct result of the scrutiny that Facebook dealt with regarding the Cambridge Analytica scandal
Jacob Lehmann, managing director at legal firm Friedman CyZen
Play Store apps will no longer be allowed to access text message and call logs unless they are the default calling or texting app on a user’s device or have an exception from Google.
Gmail add-ons available to consumers starting next year will be barred from selling user data and be subject to a third-party security assessment that will cost them about $15,000 (£11,460) to $75,000 (£57,320), Google said.
Such moves could strengthen Google by making it harder for competing services to grow off its data, said Chris Messina, a designer who worked on Google+ before leaving in 2013.
‘In 2011, you wanted casual, scrappy developers creating apps, and now it is going to require a professional class that is serious. The walls are going up.’