Alphabet Inc.'s Google LLC said in an Oct. 8 blog post that after an internal review of third-party developer access to user data earlier this year, it discovered a bug that shared some users' profile data from the little-used Google+ social network. As a result, the company announced a series of privacy reforms, including shutting down Google+ for consumers.
The data exposed included optional profile information such as a user's name, email address, occupation, gender and age. The company said the discovery was made and patched in March 2018.
"We found no evidence that any developer was aware of this bug, or abusing the API [application programming interface], and we found no evidence that any Profile data was misused," Google Vice President of Engineering Ben Smith wrote in a blog post announcing the company's findings.
Smith also acknowledged Google+ has never caught on with consumers. "While our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps," he said, noting that 90% of Google+ user sessions are less than five seconds.
In addition to closing the social network for consumers, Google announced new privacy controls, which include more granular account permissions on a users' account.
"Instead of seeing all requested permissions in a single screen, apps will have to show you each requested permission, one at a time, within its own dialog box," wrote Smith.
Additionally, Smith said the company is limiting the apps that can seek permission to access consumer Gmail data. The company claims it will only authorize apps that directly enhance email functionality to access this type of data.
Lastly, Google will limit the ability that apps have to obtain call log and text messaging permissions on Android devices. Smith said only an app selected as a default app by a user for making calls or text messages will be able to request access to the data.
Google's announcement followed an Oct. 8 report on the breach in The Wall Street Journal. According to the report, Google's legal and policy team prepared a memo for senior executives warning that public disclosure of the issue could bring about increased regulatory interest and a possible comparison to Facebook Inc.'s data scandal from earlier in 2018.
The report also claims Google CEO Sundar Pichai was notified of the company's plans not to notify impacted users.
Smith said the company will roll out additional privacy controls in the coming months.