Google has announced that it would shut down Google Plus, the company’s social media platform, after it discovered a security vulnerability that exposed the private data of up to 500,000 users.
Google said in a post on Monday that when the company’s technical staff discovered the bug in March, they decided against disclosing the issue to users because they hadn’t found anyone that had been affected.
Google said its “Privacy & Data Protection Office” decided the company was not required to report the security issue. Google looked at the “type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance.”
Up to 438 applications made by other companies may have had access to the vulnerability through coding links called application programming interfaces. Those outside developers could have seen user names, email addresses, occupation, gender and age. They did not have access to phone numbers, messages, Google Plus posts or data from other Google accounts, the company said.
The incident could face additional scrutiny because of a memo to senior executives reportedly prepared by Google’s policy and legal teams that warned of embarrassment for Google similar to what happened to Facebook earlier this year if it went public with the vulnerability.
The decision to shut down Google Plus was part of a broad review of how much user information Google shares with third-party developers. Google, a unit of Alphabet, also said it is limiting the apps that can work with Gmail, the company’s email service, and constraining the amount of data that developers can access through Android, Google’s smartphone software.