Google recently disclosed that they discovered a vulnerability in their Google+ People API in March of this year, which was patched immediately. This vulnerability:
- which has been open since 2015, potentially exposed the private data of 500,000+ users to third party developers.
- disclosed data including user full names, email addresses, dates of birth, gender, profile photos, places lived, occupation and relationship status.
- cannot be tracked back to specific users as API logs were retained for two weeks.
Google did not report the vulnerability sooner because it did not meet the public disclosure requirements as there was no evidence of data misuse or evidence that developers knew of the vulnerability. Given the challenges associated with creating and maintaining Google+ combined with the low usage of the consumer version, Google has decided to sunset the consumer version of Google+ over a 10 month period (to be completed by the end of next August). Over the coming months, Google states that it will provide consumers with additional information, including ways in which they can download and migrate their data.
However, Google+ will be retained as an enterprise product, and will be announcing/launching new features for businesses. Please note that nyu.edu accounts are enterprise accounts. Privacy measures which have been implemented include an Account Permissions system that asks third party apps for each requested permission individually vs. at once, giving users more granular control over what data is shared with apps. Further, Google has restricted access to the Gmail API only for apps that directly enhance mail functionality, such as email clients, backup and productivity services.
Resources:
https://www.blog.google/technology/safety-security/project-strobe/
https://thehackernews.com/2018/10/google-plus-shutdown.html