Google on Monday warned that a buggy API update introduced in November to its soon-to-be-mothballed Google+ social network exposed personal information for 52.2 million users.
The security alert arrives just two months after Google belatedly admitted that data from an estimated 500,000 accounts had been exposed in March, due to a problem with the same API. But Google only revealed that data exposure in October, following inquiries from the Wall Street Journal.
The latest data exposure couldn’t come at a worse time for the search firm because lawmakers and regulators are increasing their scrutiny of the security and data collection practices of technology giants, including Facebook, Twitter as well as Google. But Google’s quick notification shows it may have learned after its experience with the first exposure involving Google+.
The latest Google+ problem exposed personal data that users had intended for only their friends to see – including their physical address, relationship status, birthdate and employer – to app developers. Google has released a full list of the exposed data collected by its People API.
Even worse, the same kind of data was exposed for those people’s connections, many of whom would likely have never consented to the permissions demanded by the app that their friends were using.
The exposure lasted six days, David Thacker, vice president of product management for G Suite, writes in a blog post. “No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way,” he writes. Financial data, national ID numbers, passwords or similar data that could be used for fraud was not exposed, he adds.
Companies with repeated security incidents tend to lose even more public trust as it demonstrates a failure to learn from previous mistakes. It’s a critical and necessary best practice to perform vulnerability and penatration test from capable technology companies such as Layer 7 Data Solutions.