Big news out of Mountain View, CA, this week. Up to 500,000 Google+ account holders may have had their personal details, as well as those of their friends, compromised. Making matters worse, Google chose to keep the breach secret to avoid negative publicity. As a result of the ensuing turmoil — and at least partially due to poor performance — Google+ is shutting down.
Let’s take a closer look at what happened, why it matters, and what our experts say you can do to protect yourselves!
About the Google+ data breach
In a blog post published October 8, 2018, Google Fellow and Vice President of Engineering Ben Smith began by discussing Project Strobe — a comprehensive “review of third-party developer access to Google account and Android device data and of our philosophy around apps’ data access.”
As part of this review, the organization discovered in March 2018, that a powerful bug allowed third-party apps to access the personal profile fields of Google+ users and their friends.
Here’s how the process worked.
- Users allowed Google+ apps to access their profile data and the public profile information of their friends via the API
- The bug also allowed apps to access the non-public profile information of the user’s friends
- This data included personal details like a user’s name, email address, occupation, job title, bio, gender, age, and more
- Google claims that no other data posted or connected to a Google+ account, including posts, messages, etc., were affected
- Google only stores API logs for just two weeks, and as a result, cannot confirm which users have been affected and to what extent
- They did discover that as many as 500,000 accounts were affected and that 438 applications had access to the API
An unsettling timeline
Perhaps even more unsettling than the breach itself was Google’s handling of the matter. Smith revealed the bug was uncovered back in March 2018. After patching the bug, the company did little more to protect the public’s interest. In fact, the tech giant waited more than six months to alert the public — a disturbing trend within the tech community.
This wasn’t the result of some oversight. The company chose to stay silent in the hopes of avoiding a PR headache and any potential regulations. According to reports obtained by The Wall Street Journal, a Google policy and legal official warned:
“In us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal, [it] almost guarantees [CEO Sundar Pichai] will testify before Congress…[and invite] immediate regulatory interest.”
What can you do to protect yourself?
PrivacyArmor participants have nothing to fear! We are aware of the situation and, as always, we will immediately notify you if we detect your data somewhere it shouldn’t be.
Members and non-members alike should be aware that cybercriminals can use this data to conduct targeted spear phishing attacks and launch other forms of social engineering campaigns. As a result, you should conduct a review of your Google+ profile to see what specific information may have been compromised.
You should also use this opportunity to review your other social media accounts. Additionally, you should continually monitor what third-party apps have access to your account, as well as the types of data they can access. You can visit https://myaccount.google.com/permissions to review (and revoke permissions) for apps that may be connected to your Google+ and Google Account.
Keep in mind, Google+ isn’t the only social media platform you need to monitor. If you’d like to learn more about how you can search, share, and communicate more privately, you can download our complimentary ebook on the topic, Protecting Your Privacy: Best Practices for Mobile, Social, and Search Settings.