Google Data Breach Exposes 500,000

Google is the latest to fall victim to a security bug, announcing a data breach of nearly 500,000 Google+ users earlier this month. As an additional security measure, paired with the lack of overall user adoption, the company has confirmed its social platform will be shut down over the next 10 months.

Google has received criticism for how it initially handled the breach event, as stated in an article published by the Electronic Frontier Foundation:

“Google should have told the public as soon as it knew something was wrong, giving users a chance to protect themselves and policymakers a chance to react. Instead, amidst a torrent of outrage over the Facebook-Cambridge Analytica scandal, Google decided to hide its mistakes from the public for over half a year.”

Additionally, Google may also be subject to additional fines related to the recent update to GDPR statutes in May 2018.

What Happened?

Google’s data breach affected 496,951 Google+ members, exposing Personally Identifiable Information (PII) like names, email addresses, birth dates and genders. In addition, this breach also affected Google+ profile data, including profile pictures, “places lived,” occupations and relationship statuses.

A security bug in one of Google’s Application Program Interfaces (API) was discovered that allowed developers outside of Google to access user profile data, as well as their friends’ data. In total, 438 apps potentially had access to this personal user data.

What is an API?

Application Program Interfaces, or APIs, are used by developers to build various types of software. In Google’s case, the affected “Google+People” API allows Google services to communicate and interact with each other.

Google developers explained that the breach originated from a security bug, or vulnerability, found in the Google+People API. The API should only allow Google services to share user data across multiple apps. Instead, the bug allowed other apps and services outside of Google access to the shared data.

Google’s Response: “Shut Down Google ”

Google’s plans to shut down its Google+ platform (minus its G Suite and Google+ for Business services) does not address the issue of shared data across multiple apps and services. Similar to crosslinking social media profiles with other apps and services, the bug could have potentially allowed unwanted parties access to your Google data from apps like Gmail, Google Maps and Google Drive.

However, the company has emphasized its stance on giving users more transparent control over their data privacy. Apart from depreciating the Google+ platform, Google will continue working through its “Project Strobe,” an effort that focuses on reviewing third-party access to Google user data, as well as making overall improvements to user data privacy.

Whether you were directly impacted by this breach or not, anyone can benefit from these tips to ensure Google data is secured across all apps and services:

  • Update your Gmail password. Even though Gmail data was not directly impacted, fraudsters could potentially gain access to your Gmail account if you are reusing the same passwords.
  • Watch out for spam. Fraudsters may try to retarget you in phishing scams or other social engineering ploys via email. Look before you click, and never download files you were not expecting to receive.
  • Update account verification settings. Consider adding multi-step authentication measures that utilize secure codes or text/call verification. This will help prevent unwanted actors from gaining access to your accounts even if they can provide your full date of birth.
  • Avoid crosslinking, especially with social media accounts. Avoid sharing personal data across multiple apps via crosslinking (most commonly with social media accounts). Keep personal, financial and device data on a need-to-know basis with apps and online services.