The Wall Street Journal is reporting, but I’m linking to Engadget because I don’t expect everyone has a WSJ account, that Google learned in March that private profile information between 2015 and 2018 was available to anyone with an API hooking into Google+
It’s not know whether every Google+ account was compromised or not as Google+ only stored logs for about two weeks due to privacy concerns. During the two weeks in March they knew about the security hole they discovered no evidence that your profile information had been hacked.
I’ll stress that safety guarantee was during that two weeks. It could all have been taken sometime in February and they would never know. They don’t know if you were hacked, breached, and your private profile pictures, posts, and information were given to a malicious third party.
And they didn’t tell you.
Exposed data included names, email, birthday, gender, profile photos, places lived, occupation, relationship status, and possibly posts based on what I’m seeing of the API.
This API didn’t have to be installed or granted access by the user, only by someone who’s a friend. So if you’re all following that one programming site and they enabled API access for any reason, you’re potentially affected.
The WSJ reports that Google’s CEO was informed of the plan to not disclose the data exposure as revelation could have bought Google a hotseat at the Senate beside or instead of Facebook.
As noted, Google is shutting down Google+. Engadget says it’s in light of this issue, although it’s probably just that Google+ has been a massive drain on Alphabet’s resources with no real income potential showing on the horizon since its inception.
I’m actually ticked off at this. I understand that they were unable to prove that even one instance of profile hacking had occurred, but that seems absurd to take two weeks of API logs and say that the other 163 weeks they don’t have info for were insignificant risks.