Social media platforms should possess robust security measures, in order to protect the personal and private information divulged by account holders. A flaw in any security program can lead to vulnerabilities in the system, allowing hackers and third-party developers to access classified user data for exploitation. In 2018 alone, social media giants Facebook was at the forefront of two major security scandals – one in which British data analytics firm ‘Cambridge Analytica’ obtained and misused the personal data of 50 million users and the other in which hackers exploited a flaw in one of Facebook’s prominent features to breach another 50 million accounts. On 8th October, 2018, it was Google’s turn to announce that its social media platform, Google+, hosted a security vulnerability since 2015 that exposed the private data of several users to third-party developers.
Google+, like any other web platform, is built on coding links called application programming interfaces (API). It was Google+’s People API that was discovered to contain a critical bug, one that could have been exploited by third-party developers. According to Google, up to 438 third-party applications developed by other companies had access to Google+’s vulnerability, enabling them to potentially exploit the private data of more than 500,000 users – including usernames, email addresses, date of birth, occupation and profile photos. Google couldn’t pin down the number of users impacted by the vulnerability as Google+ servers don’t store API logs for more than two weeks. However, it’s worthwhile to note that it was a similar kind of API flaw on Facebook, which hackers exploited to breach the accounts of 50 million users.
Although Google discovered and fixed the vulnerability in March 2018, the company didn’t divulge information about it to the public. Google’s investigation concluded that no third-party developers had actually accessed any user information, despite being totally able to. According to the company’s “Privacy & Data Protection Office”, such instances were not legally required to be reported. In fact, the law was changed later in May 2018 with the implementation of the General Data Protection Regulation (GDPR), a set of laws adopted by Europe that required companies to notify regulators of a potential leak of personal information within 72 hours.
In the aftermath of disclosing the news to the public, Google also announced that it would permanently shut down Google+ for consumers by the end of August 2019. The decision was based on the fact that Google+ has low usage and user engagement: 90% of Google+ sessions last less than five seconds. Google has also introduced new privacy settings on its platform, as a part of its “Project Strobe”, which gives users more control over what type of account data it wishes to share with third-party applications.
Google’s share fell over 2% to $1134.23 in the wake of the data breach reports, as the pressure mounts on CEO Sunder Pichai to testify before the U.S. Congress. Along with answering questions of whether Google filters conservative voices in their products and Google’s plan to re-enter the Chinese market with a censored search engine, Pichai can now expect lawmakers to grill him regarding the security of Google and its products.