A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when Google discovered and fixed the issue.
The bug was related to one of the Google+ People APIs.
Users could grant access to their Profile data, and the public Profile information of their friends, to Google+ apps, via the API.
The bug meant that apps also had access to Profile fields that were shared with the user, but not marked as public.
Google said that that data was limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age. It did not include any other data users may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.
Google says it keeps this API's log data for only two weeks, so the company cannot confirm which users were impacted by this bug. However,"detailed analysis" over the two weeks prior to patching the bug, showed that the Profiles of up to 500,000 Google+ accounts were potentially affected. Google's analysis showed that up to 438 applications may have used this API.
Google also found no evidence that any developer was aware of this bug, or abusing the API, and also found no evidence that any Profile data was misused.
According to WSJ, Google chose not to disclose the bug earlier, as the company believed that the incident would likely trigger "regulatory interest" following the recent Facebook's leak of user information to data firm Cambridge Analytica.
Given these challenges and the very low usage of the consumer version of Google+, Google decided to sunset the consumer version of Google+. The company said that Google+ has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.
To give people a full opportunity to transition, Google will implement this wind-down over a 10-month period, slated for completion by the end of next August. Over the coming months, Google will provide consumers with additional information, including ways they can download and migrate their data.
Google today also announced a set of data privacy measures.
The company promised to give consumers more "fine-grained" control over what account data they choose to share with each app. Instead of seeing all requested permissions in a single screen, apps will have to show users each requested permission, one at a time, within its own dialog box.
Google is also updating its User Data Policy for the consumer Gmail API to limit the apps that may seek permission to access user' consumer Gmail data. Only apps directly enhancing email functionality-such as email clients, email backup services and productivity services (e.g., CRM and mail merge services)-will be authorized to access this data. Moreover, these apps will need to agree to new rules on handling Gmail data and will be subject to security assessments.
In addition, Google is limiting apps' ability to receive Call Log and SMS permissions on Android devices, and are no longer making contact interaction data available via the Android Contacts API.
Some Android apps ask for permission to access a user's phone (including call logs) and SMS data. Going forward, Google Play will limit which apps are allowed to ask for these permissions. Only an app that users have selected as their default app for making calls or text messages will be able to make these requests.
In the coming months, Google promised to roll out additional controls and update policies across more of our APIs.