On Monday, October 8, in a blog post written by Ben Smith, Google’s Vice President of engineering, the company announced it would be closing the Google+ platform to consumers in ten months. The announcement was posted after The Wall Street Journal reported that Google discovered a significant data breach of the platform in March of this year and decided internally not to announce that breach to the public.
Here are the details of the breach:
- Outside developers who connect to Google+ through one of more than 130 Google-supported application program interfaces (APIs) had potential access to user data from 2015 through March 2018.
- When discovered in March, the security flaw bug was immediately fixed.
- 496,951 user accounts were potentially affected.
- The API bug opened up the possibility of outside developers collecting the profile data of users’ friends even if that data was explicitly marked as nonpublic.
- The security flaw exposed data like usernames, email addresses, occupations, genders, and ages.
- Google’s internal investigation found no evidence that anyone exploited the flaw to steal data or misused data in any of the 438 applications that used the affected API before the bug was fixed.
The support of APIs to gain access to users’ profile data is a widely-used practice across all the social media platforms in use today. APIs enable users to log in to apps and websites using Facebook or Google credentials rather than setting up a separate username and password. APIs also enable users to share content from one platform to another.
Developers routinely employ these APIs to use in their own applications. A significant step in API use is clear communication to the user about the data that will be gathered and shared, as well as obtaining permission from the user to take those communicated steps. A data breach takes that decision out of the hands of the user and enables bad actors to use personal data as they see fit.
Google+ has long lagged behind its main intended rival, Facebook. So, while it’s not a surprise the formal decision was finally made to shutter the platform to consumers in the coming months, the fact that Google discovered a data breach and did not report it to the public will significantly increase public and regulatory scrutiny on their security practices. As Facebook and Twitter leadership have discovered over the past year or so, data breaches that appear to be covered up or not handled with appropriate seriousness are a public relations nightmare.
It appears that Google+ does have a future, at least in some form. Part of the announcement this week was a high-level plan to turn the platform into one for enterprises, a peer-to-peer business communication platform. We’ll see if this pivot to a corporate social media platform will gain any momentum.
So, what do you need to do if you have a personal or business account on Google+? We recommend the following two primary steps:
- Delete your Google+ account(s). Google has posted clear, step-by-step instructions on how to delete your account.
- Remove any icons on your website that enable sharing your content to Google+.
As for the future, we’ll be watching this dynamic digital story evolve, and will keep you updated on the latest developments across the digital landscape.
