A software update introduced by Google last month has resulted in the personal data of 52.5 million users being exposed, even when it was set to not-public. As a result, Google says it will shutdown all API access to Google+ in the next 90 days and bring forward the “sunsetting” of Google+ from August next year to April.
Google said in a statement that the data was exposed for six days after being discovered during ongoing testing procedures but that there was no third party compromise of systems, and there was no evidence that the app developers were aware of the bug or misused it in any way.
Affected users’ name, email address, occupation and age were exposed even when the user set their profile to not-public. In addition, apps with access to a user’s Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly. However, financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft was not exposed.
Affected customers are being notified.
Google+ never managed to get the sort of traction Google anticipated even though the company boasts a massive customer base for its other services and products. And the exposure of this vulnerability leading to the early shutdown of the service is an embarrassing end to the products life.
But it’s worth noting Google+’s failure is part of what I see as a systemic lack of strategic vision for the company’s products. As we’ve recently seen with the search giant’s messaging strategy, Google is great at coming up with ideas and making them into products. But it lacks follow through and seems to be easily distracted by what’s next rather than what’s already there.