IE 11 is not supported. For an optimal experience visit our site on another browser.

Google says it found security flaw in March but chose not to tell users

The flaw meant some Google+ profile information that users had thought was private could have been viewed by third parties.
Image: People walk into Google's New York offices
People walk into Google's New York offices on March 5, 2018 in New York.Spencer Platt / Getty Images file

Google said on Monday that hundreds of thousands of people who used its Google+ social network may have been affected by a security flaw that the company says it discovered and fixed in March.

The flaw meant some Google+ profile information that users had thought was private, such as a person's email address, occupation, gender or age, could have been viewed by third parties, the company said in a post on a corporate blog.

Though Google found the vulnerability seven months ago, it did not tell the public at the time.

The company said that was because it could not accurately identify which users to inform, whether there was any misuse or whether there were any actions a developer or user could take in response.

The Wall Street Journal reported that Google’s legal and policy staff also prepared a memo warning that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.

Google declined to comment on the report.

The central issue in the Google+ flaw and in Facebook’s Cambridge Analytica scandal were similar: how third-party apps could gain access to private data about users through their friend networks.

Someone who used their Google+ log-in to play a video game, for example, could have inadvertently allowed the game developer to see private information of their friends such as occupation or gender.

So far, Google said it has found no evidence that profile data was misused or that any developer was aware of the flaw. Facebook has said that up to 87 million people had their data harvested by Cambridge Analytica.

The security flaw will mean the end of Google+ for consumers, the company said. Google launched the service in 2011 as a challenge to Facebook but noted in its blog post on Monday that Google+ “has not achieved broad consumer or developer adoption.”

“The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds,” the company said.

Low usage combined with the security challenges mean Google will wind down Google+ over the next 10 months, although it will continue to provide the service to businesses.

Google said it launched an effort at the beginning of the year called Project Strobe designed to review how other apps connect to Google’s services, and that it was making other changes as a result. It said it would add “more granular” screens for granting permission to access data, and was adding new limits to the data that third-party apps can use.