There is a new report out that a security flaw allowed third-party developers to access Google+ user profile data from 2015 until Google discovered it in March. However, the company decided not to inform users, in fact, according to an internal company memo, the decision against informing the public was because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”

Frankly, that reasoning is BS. It’s your duty to report breaches to your customers and not doing so only makes us have less trust in you and your products. Google had to realize this would get out at some point, nothing this big ever stays bottled up for too long. And if you don’t want to take my word for it, take Theresa Payton’s (former White House CIO and CEO at Fortalice Solutions) word for it. I had her on the TechieBytes podcast not too long ago.

In terms of how the security flaw worked, if a user gave permission to an app to access their profile data, the flaw will allow those developers to pull their friends’ data. According to what I’ve seen so far, 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship statuses were potentially exposed, though Google says it has no evidence the data was misused. Well, thank God for that. Honestly, I bet it wasn’t misused because the data was so sparse being that no one really used Google+.

All this news comes from a damning Wall Street Journal report that says Google is expected to announce a slew of privacy reforms today in response to the breach. That includes stopping most third-party developers from accessing Android phone SMS data, call logs, and some contact info. Gmail will restrict building add-ons to a small number of developers. and Google+ will cease all its consumer services.

Google+ has mostly been a ghost town for quite some time and I’m betting that not many resources were devoted to it at Google, which is likely how this security flaw went unnoticed for so long.

[via WSJ]

Share This