2018 Google data breach
View on Wikipedia
The 2018 Google data breach was a major data privacy scandal in which the Google+ API exposed the private data of over five hundred thousand users.[1]
Google+ managers first noticed harvesting of personal data in March 2018,[2] during a review following the Facebook–Cambridge Analytica data scandal. The bug, despite having been fixed immediately, exposed the private data of approximately 500,000 Google+ users to the public.[3] Google did not reveal the leak to the network's users.[4] In November 2018, another data breach occurred following an update to the Google+ API. Although Google found no evidence of failure, approximately 52.5 million personal profiles were potentially exposed.[5] In August 2019, Google declared a shutdown of Google+ due to low use and technological challenges.[6][7][8]
Overview of Google+
[edit]Google+ was launched in June 2011 as an invite-only social network,[9] but was opened for public access later in the year. It was managed by Vic Gundotra.[10]
Similar to Facebook, Google+ also included key features Circles, Hangouts and Sparks.
- Circles let users personalize their social groups by sorting friends into different categories. Once allowed into a Circle, users could regulate information in their individual spaces.[11]
- Hangouts included video chatting and instant messaging between users.[12]
- Sparks allowed Google to track users' past searches to find news and content related to their interests.[13]
Google+ was linked to other Google services, such as YouTube, Google Drive and Gmail, giving it access to roughly 2 billion user accounts.[14] However, less than 400 million consumers actively used Google+, with 90% of those users using it for less than five seconds.[15]
The breaches
[edit]In March 2018, Google developers found a data breach within the Google+ People API in which external apps acquired access to Profile fields that were not marked as public.[3] According to The Wall Street Journal, Google didn’t disclose the breach when it was first discovered in March to avoid regulatory scrutiny and reputational damage.[4]
500,000 Google+ accounts were included in the breach, which allowed 438 external apps unauthorized access to private users' names, emails, addresses, occupations, genders and ages.[3] This information was available between 2015 and 2018.[16] Google found no evidence of any user's personal information being misused, nor that any third-party app developers were aware of the leak.
In November 2018, a software update created another data breach within the Google+ API.[17] The bug impacted 52.5 million users,[18][2] where, similarly to the March breach, unauthorized apps were able to access Google+ profiles, including users' names, email addresses, occupations and ages. Apps could not access financial information, national identification, numbers, or passwords. Blog posts, messages and phone numbers also remained inaccessible if marked as private. Unlike the previous breach, access was only available for six days before Google+ learned of the breach. Once more, Google+ found no evidence of data being misused by third-party developers.
Responses
[edit]In October 2018, the Wall Street Journal published an article outlining the initial breach and Google's decision to not disclose it to users.[4] At the time, there was no federal law that required Google to inform their consumers of data breaches. Google+ originally did not disclose the breach out of fears of being compared to Facebook's recent data leak and subsequent loss of consumer confidence.[4] In response to the Wall Street Journal article, Google announced the shutdown of Google+ in August 2019.[19] After the second data leak, the date was moved to April 2019.[20] In response to the data breach, enterprise consumers were notified of the bug's impact and given instructions on how to save, download and delete their data prior to the Google+ shut down. Google's Privacy and Data Protection Office found no misuse of user data.
Prior to the Google+ shutdown, Google set a 10-month period in which users could download and migrate their data. After the 10-month period, user content was deleted. On 4 February 2019, consumers were no longer able to create new Google+ profiles.[21] Google shut down Google+ APIs on 7 March 2019 to ensure that developers did not continue to rely on the APIs prior to the Google+ shutdown.[7][16]
Google is the principal entity of its parent company, Alphabet Inc. After the data breach, Alphabet Inc. share prices fell by 1% to $1,157.06 on 9 October 2018 after an earlier drop of $1,135.40 that morning, the lowest price since 5 July 2018.[22] After the publication of The Wall Street Journal article, share prices dropped as low as 2.1% in two days on 10 October 2018. Share prices steadily increased from this point and met the 8 October 2018 share price on 5 February 2019.[23]
Google planned to rebuild Google+ as a corporate enterprise network.[24] Google Play will now assess which apps can ask for permission to access the user's SMS data. Only the default app for telephone distribution is able to make requests. Prior to the data breaches, apps were able to request access to all of a consumer's data simultaneously. Now, each app must request permission for each aspect of a consumer's profile.
References
[edit]- ^ Snider, Mike (1 February 2019). "Google sets April 2 closing date for Google+, download your photos and content before then". USA TODAY. Retrieved 12 May 2019.
- ^ a b Newman, Lily Hay (12 October 2018). "A New Google+ Blunder Exposed Data From 52.5 Million Users". Wired. ISSN 1059-1028. Retrieved 12 May 2019.
- ^ a b c "Flaw leads to Google+ shutting down". Network Security. 2018 (10): 3. 2018. doi:10.1016/S1353-4858(18)30095-3. S2CID 240102979.
- ^ a b c d MacMillan, Douglas; McMillan, Robert (8 October 2018). "Google Exposed User Data, Feared Repercussions of Disclosing to Public". Wall Street Journal. ISSN 0099-9660. Retrieved 12 May 2019.
- ^ Romm, Tony; Timberg, Craig (10 December 2018). "New Google+ security bug could affect more than 52 million users". The Washington Post.
- ^ Thacker, David (10 December 2018). "Expediting changes to Google+". Google. Retrieved 12 May 2019.
- ^ a b "Google+ API Shutdown | Google+ Platform". Google Developers. Retrieved 14 May 2019.
- ^ "Google's social network is closing". New Scientist. 240 (3199): 4. 2018. doi:10.1016/S0262-4079(18)31819-0. S2CID 240126196.
- ^ Fox, Chris (2 April 2019). "Google shuts failed social network Google+". BBC News.
- ^ Dieter, Daniel (11 November 2018). "Google+ Case Study: Create a Social Network or Risk Everything". Performance Improvement. 57 (10): 26–36. doi:10.1002/pfi.21826. S2CID 69571511.
- ^ Ovadia, Steven (5 December 2011). "An Early Introduction to the Google+ Social Networking Project". Behavioral & Social Sciences Librarian. 30 (4): 259–263. doi:10.1080/01639269.2011.622258. S2CID 62551198.
- ^ Golbeck, Jennifer (2015). "Google+". Introduction to Social Media Investigation. pp. 137–149. doi:10.1016/B978-0-12-801656-5.00013-5. ISBN 9780128016565.
- ^ Perez, Sarah (November 2018). "Looking back at Google+". TechCrunch. Retrieved 12 May 2019.
- ^ "Google+ social media service to shut down after private data of at least 500,000 users exposed". ABC News. 9 October 2018.
- ^ Ganjoo, Shweta. "Former Google+ designer explains why Google's social media play failed: it was mostly office politics". India Today. Retrieved 12 May 2019.
- ^ a b Burton, Winston (25 October 2018). "Google Plus: Past, Present & Future". Search Engine Journal.
- ^ "Second Google+ data exposure leads to earlier service shutdown | TechTarget". Search Security. Retrieved 2025-03-06.
- ^ "Expediting changes to Google+". Google. 10 December 2018. Retrieved 12 May 2019.
- ^ Smith, Ben (8 October 2018). "Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+". Google Blog. Retrieved 12 May 2019.
- ^ "Frequently asked questions about the Google+ shutdown - Google+ Help". support.google.com. Retrieved 12 May 2019.
- ^ Nelson, Alex (7 February 2019). "Google+ shutdown: how to back up photos and data before your account closes". inews.co.uk. Retrieved 12 May 2019.
- ^ De Vynck, Gerrit; Nix, Naomi (9 October 2018). "Google Discloses Privacy Security Flaw Kept Quiet Since March". Bloomberg.
- ^ Aitken, Roger. "Alphabet 'In The Soup' Over Costs, But Analysts' Average Google Price Target $1,346". Forbes.
- ^ "Currents: Have Meaningful Discussions at Work | G Suite". gsuite.google.com. Retrieved 12 May 2019.
2018 Google data breach
View on GrokipediaBackground
Google+ origins and purpose
Google+ originated as Google's most ambitious attempt to enter the social networking space, launched on June 28, 2011, following the company's earlier, less successful ventures such as Orkut, Google Buzz, and Google Wave.[7] These prior efforts had failed to gain significant traction, prompting Google to consolidate its social strategy under a unified platform aimed at integrating user identity and interactions across its broader ecosystem of services.[7] The project was spearheaded by Vic Gundotra, Google's Senior Vice President of Engineering, who had joined the company in 2007 and was instrumental in driving the development of social features.[8] The primary purpose of Google+ was to challenge Facebook's dominance in social networking by emphasizing user-controlled sharing and seamless integration with Google products like Gmail, YouTube, and later Google Drive.[9] Google positioned the platform as a means to make online interactions more akin to real-life relationships, with built-in tools for selective sharing that addressed privacy concerns prevalent in competitors.[9] This integration strategy sought to leverage Google's vast user data and search infrastructure to create a "social layer" enhancing personalization and connectivity, rather than merely replicating Facebook's model.[10] Initial rollout was limited to a field trial via invitations, reflecting Google's intent to refine the service before broader public access.[7]Platform features and user base
Google+ operated as a social networking service integrated with Google's ecosystem, emphasizing selective sharing through Circles, which allowed users to categorize contacts into groups such as family, friends, or colleagues for targeted post visibility.[11] The platform's Stream functioned as a chronological feed aggregating updates, photos, videos, and links from selected circles, while the +1 button enabled content endorsements that influenced search results and recommendations across Google properties.[12] Additional features included Hangouts for instant messaging, video calls, and group chats; automatic photo uploads and editing via Google Photos integration; Communities for interest-based group discussions; and Collections for curating themed content boards.[13] These tools aimed to facilitate "real-life sharing" by prioritizing privacy controls and multimedia interactions over broad public broadcasting.[11] The platform's user base derived largely from Google's existing account holders, as profiles were auto-generated for Gmail and other service users unless manually deleted, resulting in an estimated hundreds of millions of profiles by 2018.[14] A November 2018 API vulnerability potentially exposed data from 52.5 million such profiles, underscoring the scale of registered but often inactive accounts.[4] Active engagement remained low, however, with the service struggling against dominant competitors like Facebook; third-party analyses indicated limited monthly visits, such as around 34 million unique ones reported in early 2018, predominantly from U.S. users comprising over half the audience.[15] This dormant majority reflected Google+'s integration-driven growth rather than organic adoption, contributing to its characterization as a "ghost town" with minimal daily interactions by late 2018.[16]Technical Vulnerabilities
March 2018 API bug
In March 2018, Google identified a software bug in its Google+ People API, which had existed since the platform's consumer launch in 2015. The flaw stemmed from the API's unintended interaction with a single backend database, enabling third-party applications to retrieve private profile fields that users had not marked as public. Affected fields included full name, email address, occupation, gender, age, and profile photo.[17][18] The vulnerability potentially impacted up to 500,000 Google+ user profiles, though the exact number of exposed records remains unconfirmed due to the absence of logged access attempts. Google engineers detected the issue during internal testing and applied a patch on the same day, restoring compliance with the API's access controls. No logs indicated exploitation by developers, and Google reported no evidence of data misuse or unauthorized retrieval during the period the bug was active.[17][5][19] Technical analysis post-discovery attributed the bug to a mismatch in how the API queried and returned data, bypassing visibility restrictions intended to limit third-party access to only consented public information. This incident highlighted risks in API design for social platforms, where granular permissions can fail under edge-case database interactions, though Google maintained that the platform's low developer engagement minimized broader exposure.[17][18]November-December 2018 API exposure
In November 2018, a software update to the Google+ People API on November 7 inadvertently created a bug that enabled third-party applications with permission to access a user's public profile data to also retrieve private profile fields, such as full names, birth dates, email addresses, employment history, gender, and residence information.[2][20] This vulnerability affected approximately 52.5 million Google+ user accounts, though Google stated there was no evidence that any developer exploited the bug or that user data was misused during the exposure period, which lasted nearly a week.[14][21] Google internally identified and patched the API bug shortly after its introduction, preventing further exposure, but the company delayed public disclosure until December 10, 2018, as part of its broader Project Strobe review of third-party API security following an earlier incident.[2][22] The revelation prompted Google to accelerate the shutdown of all Google+ APIs to within 90 days and expedite the consumer-facing Google+ platform's closure by April 2019, citing repeated vulnerabilities as undermining consumer trust.[23][21] Unlike the March 2018 bug, which involved unauthorized scraping of up to 500,000 profiles, this incident stemmed from flawed permission scoping in the API update rather than a broader access control failure, though both highlighted ongoing issues in Google's handling of private data in social APIs.[20][14]Disclosure and Immediate Responses
Internal handling and decision-making
Google discovered a software bug in its Google+ People API in March 2018, which enabled third-party applications to access private user profile data such as full names, email addresses, birthdates, gender, and relationship status for approximately 500,000 users without consent.[1] The vulnerability stemmed from improper handling of API permissions, allowing apps approved via Google's developer console to retrieve data from profiles not shared publicly with those apps.[24] Internal engineering teams promptly disabled the affected API and conducted an audit, finding no evidence that any developer had become aware of or exploited the bug during its existence.[25] Senior Google executives then engaged in decision-making deliberations, reviewing an internal memo that outlined the potential fallout from public disclosure, including heightened regulatory scrutiny from bodies like the Federal Trade Commission and comparisons to Facebook's Cambridge Analytica scandal.[1] [26] The memo emphasized risks such as broader inquiries into Google's data practices and negative media coverage, weighing these against the absence of demonstrated harm or data misuse, ultimately leading to a decision against voluntary disclosure to users or regulators.[27] This choice deviated from expectations of transparency in data exposure incidents, prioritizing avoidance of "repercussions" over proactive notification, as later criticized by U.S. Senators who demanded the memo's release to assess accountability.[26] [28] Following the Wall Street Journal's October 8, 2018, reporting on the undisclosed March incident, Google accelerated internal reviews of its APIs, uncovering a second bug in the Google+ API introduced by a November 7, 2018, software update.[2] This flaw exposed profile data—including names, addresses, and phone numbers—for about 52.5 million users to external developers, though again with no confirmed abuse after swift patching on December 3, 2018.[4] In contrast to the prior handling, executives opted for immediate public disclosure on December 10, 2018, announcing the expedited shutdown of all Google+ consumer APIs within 90 days to mitigate ongoing risks.[4] This shift reflected lessons from the first incident's exposure, prioritizing transparency amid mounting external pressure.[24]Public announcements and fixes
On October 8, 2018, Google disclosed via its official blog that a bug in the Google+ People API, present since 2015, had been identified and patched in March 2018, potentially allowing unauthorized third-party apps to access private profile fields—including full names, email addresses, occupations, gender, and age—from up to 500,000 user accounts.[17] The company emphasized that internal reviews found no evidence of the exposed data being accessed or misused by external developers.[17] In immediate response, Google initiated Project Strobe, a comprehensive audit of third-party API access to user data across its services, and announced the phased wind-down of consumer Google+ functionality by August 2019 to prioritize privacy enhancements.[17] On December 10, 2018, Google announced a second API vulnerability, stemming from a November 7 update to the Google+ API, which briefly exposed profile information—such as names, email addresses, home addresses, birthdates, gender, phone numbers, employment details, and relationship status—from 52.5 million user profiles to external applications over a six-day period before being rectified.[4] Google again reported no detected instances of data exploitation during the exposure window.[4] To mitigate further risks, the firm expedited the complete shutdown of all Google+ APIs within 90 days and advanced the consumer platform's termination from August to April 2019, while notifying affected enterprise users and providing data export options.[4] These actions were framed as part of ongoing commitments under Project Strobe to restrict unnecessary data access scopes in APIs.[4]Controversies
Delayed disclosure rationale
Google identified the March 2018 Google+ API bug during an internal privacy review triggered by the Facebook-Cambridge Analytica scandal, with the vulnerability having potentially exposed private profile data—such as names, email addresses, occupations, genders, and ages—of up to 500,000 users to third-party developers from 2015 until its patch in March 2018.[1][3] The company stated publicly that it found no evidence any developer had accessed or misused the data, asserting this as a key factor in withholding disclosure, as internal assessments deemed the incident low-risk absent confirmed exploitation.[17][29] However, internal memos reviewed by The Wall Street Journal indicated executives overrode recommendations from engineering teams to disclose the bug, primarily due to fears of inviting regulatory investigations and reputational damage akin to Facebook's post-Cambridge Analytica fallout, with one document explicitly noting concerns over "immediate regulatory interest" and scrutiny from bodies like the Federal Trade Commission.[1] Google's decision reflected a calculus prioritizing avoidance of public and legal repercussions over proactive transparency, as evidenced by the six-month silence despite the bug's discovery aligning with heightened industry focus on data privacy following major scandals.[24] The delay drew criticism for undermining user trust and echoing patterns of corporate self-preservation in tech, with privacy advocates arguing it exemplified a broader reluctance to self-report vulnerabilities without external pressure; disclosure finally occurred on October 8, 2018, only after The Wall Street Journal informed Google of its forthcoming exposé based on the internal documents.[24][30] In contrast to the rapid patching, the nondisclosure rationale hinged on probabilistic risk assessment—no confirmed harm meant no obligation under prevailing norms—but this approach amplified perceptions of opacity, contributing to accelerated plans to sunset consumer Google+.[17][31]Comparisons to peer company breaches
The 2018 Google+ breaches, involving API vulnerabilities that exposed profile data without evidence of external exploitation, bore similarities to contemporaneous incidents at peer social platforms, particularly Facebook's September 2018 security compromise. Both cases stemmed from software flaws enabling unauthorized access to user information: Google+'s March bug in the People API permitted third-party developers to scrape private fields like names, emails, and occupations from up to 500,000 profiles, while Facebook's "View As" feature vulnerability allowed attackers to steal access tokens from approximately 50 million accounts, potentially granting full profile control including private messages and friends lists.[1][32] Neither incident showed confirmed data misuse by outsiders, with Google stating no evidence of abuse in its exposures and Facebook reporting no observed token exploitation beyond the initial theft.[5][33]| Aspect | Google+ (March 2018 Bug) | Facebook (September 2018 Breach) |
|---|---|---|
| Affected Users | Up to 500,000 | 50 million (plus 40 million via linked accounts)[32] |
| Data Exposed | Profile names, emails, occupations, ages | Access tokens enabling full account takeover[32] |
| Discovery & Fix | Discovered and patched March 2018 | Detected September 25, 2018; immediate mitigation[2] |
| Disclosure Timing | Delayed until October 8, 2018, amid fears of scrutiny akin to Facebook's earlier scandals[1] | Prompt, on September 28, 2018[32] |
| Immediate Response | No user notifications; internal decision to withhold public report[1] | Forced logouts for 90 million users; enhanced security checks[32] |
.jpg)