Google has announced that it is shuttering its beleaguered social media portal Google+ in response to a security lapse where 3rd party developers could access private consumer data from 2015 until March 2018. The Wall Street Journal exposed the breach this morning. Project Strobe was an internal audit of privacy controls and a deep look into what data Google was sharing with 3rd party developers. The data from the security lapse was limited to optional Google+ profile fields including name, email address, occupation, gender and age. Google is adamant that it wasn't connected to other service like messages, Google account data, phone numbers, etc. The audit found no evidence of 3rd party developers exploiting the bug.
The exposure was the result of a flaw in programming interfaces Google made available to developers of applications that interacted with users’ Google+ profiles, Google officials said in a post published after the WSJ report. From 2015 to March 2018, the APIs made it possible for developers to view profile information not marked as public, including full names, email addresses, birth dates, gender, profile photos, places lived, occupation, and relationship status. Data exposed didn’t include Google+ posts, messages, Google account data, phone numbers, or G Suite content. Some of the users affected included paying G Suite users.
Pretty big deal considering it involves full names, addresses, birth dates, occupation and gender.
Social media is bad! #pitchfork
An even bigger deal, they chose not to disclose the data compromise after they discovered it.
This is just the beginning. There are so many data breaches that occur under our very noses that we don't see or hear of because there are no data breach disclosure laws. Even if there is, companies simply don't give a damn, until someone makes a noise, or they seek legal advice in secret, or they only disclose them after the damage has been done, or it's too little too late.