2018 Google data breach

Last updated
Vic Gundotra, Google+ lead at the time of the leaks. Google VP Engineering Vic Gundotra(cropped).jpg
Vic Gundotra, Google+ lead at the time of the leaks.

The 2018 Google data breach was a major data privacy scandal in which the Google+ API exposed the private data of over five hundred thousand users. [1]

Contents

Google+ managers first noticed harvesting of personal data in March 2018, [2] during a review following the Facebook–Cambridge Analytica data scandal. The bug, despite having been fixed immediately, exposed the private data of approximately 500,000 Google+ users to the public. [3] Google did not reveal the leak to the network's users. [4] In November 2018, another data breach occurred following an update to the Google+ API. Although Google found no evidence of failure, approximately 52.5 million personal profiles were potentially exposed. [5] In August 2019, Google declared a shutdown of Google+ due to low use and technological challenges. [6] [7] [8]

Overview of Google+

Google+ was launched in June 2011 as an invite-only social network, [9] but was opened for public access later in the year. It was managed by Vic Gundotra. [10]

Similar to Facebook, Google+ also included key features Circles, Hangouts and Sparks.

Google+ was linked to other Google services, such as YouTube, Google Drive and Gmail, giving it access to roughly 2 billion user accounts. [14] However, less than 400 million consumers actively used Google+, with 90% of those users using it for less than five seconds. [15]

The breaches

In March 2018, Google developers found a data breach within the Google+ People API in which external apps acquired access to Profile fields that were not marked as public. [3] 500,000 Google+ accounts were included in the breach, which allowed 438 external apps unauthorized access to private users' names, emails, addresses, occupations, genders and ages. [3] This information was available between 2015 and 2018. [16] Google found no evidence of any user's personal information being misused, nor that any third-party app developers were aware of the leak.

In November 2018, a software update created another data breach within the Google+ API. The bug impacted 52.5 million users, [17] where, similarly to the March breach, unauthorized apps were able to access Google+ profiles, including users' names, email addresses, occupations and ages. Apps could not access financial information, national identification, numbers, or passwords. Blog posts, messages and phone numbers also remained inaccessible if marked as private. Unlike the previous breach, access was only available for six days before Google+ learned of the breach. Once more, Google+ found no evidence data being misused by third-party developers.

Responses

In October 2018, the Wall Street Journal published an article outlining the initial breach and Google's decision to not disclose it to users. [18] At the time, there was no federal law that required Google to inform their consumers of data breaches. Google+ originally did not disclose the breach out of fears of being compared to Facebook's recent data leak and subsequent loss of consumer confidence. [4] In response to the Wall Street Journal article, Google announced the shutdown of Google+ in August 2019. [19] After the second data leak, the date was moved to April 2019. [20] In response to the data breach, enterprise consumers were notified of the bug's impact and given instructions on how to save, download and delete their data prior to the Google+ shut down. Google's Privacy and Data Protection Office found no misuse of user data.

Prior to the Google+ shutdown, Google set a 10-month period in which users could download and migrate their data. After the 10-month period, user content was deleted. On 4 February 2019, consumers were no longer able to create new Google+ profiles. [21] Google shut down Google+ APIs on 7 March 2019 to ensure that developers did not continue to rely on the APIs prior to the Google+ shutdown. [7] [16]

Google is the principal entity of its parent company, Alphabet Inc. After the data breach, Alphabet Inc. share prices fell by 1% to $1,157.06 on 9 October 2018 after an earlier drop of $1,135.40 that morning, the lowest price since 5 July 2018. [22] After the publication of The Wall Street Journal article, share prices dropped as low as 2.1% in two days on 10 October 2018. Share prices steadily increased from this point and met the 8 October 2018 share price on 5 February 2019. [23]

Google planned to rebuild Google+ as a corporate enterprise network. [24] Google Play will now assess which apps can ask for permission to access the user's SMS data. Only the default app for telephone distribution is able to make requests. Prior to the data breaches, apps were able to request access to all of a consumer's data simultaneously. Now, each app must request permission for each aspect of a consumer's profile.

Related Research Articles

<span class="mw-page-title-main">Uber</span> American ridesharing and delivery company

Uber Technologies, Inc., commonly referred to as Uber, provides ride-hailing services, food delivery, and freight transport. The company is headquartered in San Francisco and operates in approximately 70 countries and 10,500 cities worldwide. The company has over 150 million monthly active users and 6 million active drivers and couriers worldwide and facilitates an average of 28 million trips per day. It has facilitated 47 billion trips since its inception in 2010 and is the largest ridesharing company in the United States.

Google Developers is Google's site for software development tools and platforms, application programming interfaces (APIs), and technical resources. The site contains documentation on using Google developer tools and APIs—including discussion groups and blogs for developers using Google's developer products.

A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

<span class="mw-page-title-main">Ubuntu One</span> Cloud service operated by Canonical Ltd.

Ubuntu One is an OpenID-based single sign-on service operated by Canonical Ltd. to allow users to log onto many Canonical-owned Web sites. Until April 2014, Ubuntu One was also a file hosting service and music store that allowed users to store data "in the cloud".

Google Buzz was a social networking, microblogging and messaging tool developed by Google. It replaced Google Wave and was integrated into their web-based email program, Gmail. Users could share links, photos, videos, status messages and comments organized in "conversations" and visible in the user's inbox.

Data as a service (DaaS) is a cloud-based software tool used for working with data, such as managing data in a data warehouse or analyzing data with business intelligence. It is enabled by software as a service (SaaS). Like all "as a service" (aaS) technology, DaaS builds on the concept that its data product can be provided to the user on demand, regardless of geographic or organizational separation between provider and consumer. Service-oriented architecture (SOA) and the widespread use of APIs have rendered the platform on which the data resides as irrelevant.

<span class="mw-page-title-main">Google+</span> Defunct social network by Google

Google+ was a social network that was owned and operated by Google until it ceased operations in 2019. The network was launched on June 28, 2011, in an attempt to challenge other social networks, linking other Google products like Google Drive, Blogger and YouTube. The service, Google's fourth foray into social networking, experienced strong growth in its initial years, although usage statistics varied, depending on how the service was defined. Three Google executives oversaw the service, which underwent substantial changes that led to a redesign in November 2015.

<span class="mw-page-title-main">Android Ice Cream Sandwich</span> Ninth version of the Android operating system

Android Ice Cream Sandwich is the fourth major version of the Android mobile operating system developed by Google. Unveiled on October 19, 2011, Android 4.0 builds upon the significant changes made by the tablet-only release Android Honeycomb, in an effort to create a unified platform for both smartphones and tablets. The first phone with Android Ice Cream Sandwich was Samsung Galaxy Nexus.

<span class="mw-page-title-main">Google Hangouts</span> Communication software by Google

Google Hangouts was a cross-platform instant messaging service developed by Google. It originally was a feature of Google+, becoming a standalone product in 2013, when Google also began integrating features from Google+ Messenger and Google Talk into Hangouts. Google then began integrating features of Google Voice, its Internet telephony product, into Hangouts, stating that Hangouts was designed to be "the future" of Voice.

Firebase, Inc. is a set of backend cloud computing services and application development platforms provided by Google. It hosts databases, services, authentication, and integration for a variety of applications, including Android, iOS, JavaScript, Node.js, Java, Unity, PHP, and C++.

Google's changes to its privacy policy on March 16, 2012, enabled the company to share data across a wide variety of services. These embedded services include millions of third-party websites that use AdSense and Analytics. The policy was widely criticized for creating an environment that discourages Internet innovation by making Internet users more fearful and wary of what they do online.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

Credential stuffing is a type of cyberattack in which the attacker collects stolen account credentials, typically consisting of lists of usernames or email addresses and the corresponding passwords, and then uses the credentials to gain unauthorized access to user accounts on other systems through large-scale automated login requests directed against a web application. Unlike credential cracking, credential stuffing attacks do not attempt to use brute force or guess any passwords – the attacker simply automates the logins for a large number of previously discovered credential pairs using standard web automation tools such as Selenium, cURL, PhantomJS or tools designed specifically for these types of attacks, such as Sentry MBA, SNIPR, STORM, Blackbullet and Openbullet.

<span class="mw-page-title-main">Justdial</span> Indian Internet technology company

Justdial is an Indian internet technology company that provides local search for different services in India over the phone, website and mobile apps. Founded in 1996 by V. S. S. Mani, the company is headquartered in Mumbai, India. In addition to its headquarters, Justdial has offices in Ahmedabad, Bangalore, Chandigarh, Chennai, Coimbatore, New Delhi, Hyderabad, Jaipur, Kolkata, and Pune. In 2020, Justdial had 10,984 employees, and a database of approximately 29.4 million listings and 536,236 active paid campaigns. On 16 July 2021, Reliance Retail acquired a 66.95% stake in Justdial for ₹3,497 crores.

Cloudbleed was a Cloudflare buffer overflow disclosed by Project Zero on February 17, 2017. Cloudflare's code disclosed the contents of memory that contained the private information of other customers, such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. As a result, data from Cloudflare customers was leaked to all other Cloudflare customers that had access to server memory. This occurred, according to numbers provided by Cloudflare at the time, more than 18,000,000 times before the problem was corrected. Some of the leaked data was cached by search engines.

NordVPN is a Lithuanian VPN service provided by Nordsec Ltd with applications for Microsoft Windows, macOS, Linux, Android, iOS, Android TV, and tvOS. Manual setup is available for wireless routers, NAS devices, and other platforms.

Hive Social is a microblogging service and mobile app. The app received news coverage during the acquisition of Twitter by Elon Musk in November 2022.

References

  1. Snider, Mike (1 February 2019). "Google sets April 2 closing date for Google+, download your photos and content before then". USA TODAY. Retrieved 12 May 2019.
  2. Newman, Lily Hay (12 October 2018). "A New Google+ Blunder Exposed Data From 52.5 Million Users". Wired. ISSN   1059-1028 . Retrieved 12 May 2019.
  3. 1 2 3 "Flaw leads to Google+ shutting down". Network Security. 2018 (10): 3. 2018. doi:10.1016/S1353-4858(18)30095-3. S2CID   240102979.
  4. 1 2 MacMillan, Douglas; McMillan, Robert (8 October 2018). "Google Exposed User Data, Feared Repercussions of Disclosing to Public". Wall Street Journal. ISSN   0099-9660 . Retrieved 12 May 2019.
  5. Romm, Tony; Timberg, Craig (10 December 2018). "New Google+ security bug could affect more than 52 million users". The Washington Post.
  6. Thacker, David (10 December 2018). "Expediting changes to Google+". Google. Retrieved 12 May 2019.
  7. 1 2 "Google+ API Shutdown | Google+ Platform". Google Developers. Retrieved 14 May 2019.
  8. "Google's social network is closing". New Scientist. 240 (3199): 4. 2018. doi:10.1016/S0262-4079(18)31819-0. S2CID   240126196.
  9. Fox, Chris (2 April 2019). "Google shuts failed social network Google+". BBC News.
  10. Dieter, Daniel (11 November 2018). "Google+ Case Study: Create a Social Network or Risk Everything". Performance Improvement. 57 (10): 26–36. doi:10.1002/pfi.21826. S2CID   69571511.
  11. Ovadia, Steven (5 December 2011). "An Early Introduction to the Google+ Social Networking Project". Behavioral & Social Sciences Librarian. 30 (4): 259–263. doi:10.1080/01639269.2011.622258. S2CID   62551198.
  12. Golbeck, Jennifer (2015). "Google+". Introduction to Social Media Investigation. pp. 137–149. doi:10.1016/B978-0-12-801656-5.00013-5. ISBN   9780128016565.
  13. Perez, Sarah (November 2018). "Looking back at Google+". TechCrunch. Retrieved 12 May 2019.
  14. "Google+ social media service to shut down after private data of at least 500,000 users exposed". ABC News. 9 October 2018.
  15. Ganjoo, Shweta. "Former Google+ designer explains why Google's social media play failed: it was mostly office politics". India Today. Retrieved 12 May 2019.
  16. 1 2 Burton, Winston (25 October 2018). "Google Plus: Past, Present & Future". Search Engine Journal.
  17. "Expediting changes to Google+". Google. 10 December 2018. Retrieved 12 May 2019.
  18. McMillan, Douglas MacMillan and Robert (2018-10-08). "Google Exposed User Data, Feared Repercussions of Disclosing to Public". Wall Street Journal. ISSN   0099-9660 . Retrieved 2021-12-05.
  19. Smith, Ben (8 October 2018). "Project Strobe: Protecting your data, improving our third-party APIs, and sunsetting consumer Google+". Google Blog. Retrieved 12 May 2019.
  20. "Frequently asked questions about the Google+ shutdown - Google+ Help". support.google.com. Retrieved 12 May 2019.
  21. Nelson, Alex (7 February 2019). "Google+ shutdown: how to back up photos and data before your account closes". inews.co.uk. Retrieved 12 May 2019.
  22. De Vynck, Gerrit; Nix, Naomi (9 October 2018). "Google Discloses Privacy Security Flaw Kept Quiet Since March". Bloomberg.
  23. Aitken, Roger. "Alphabet 'In The Soup' Over Costs, But Analysts' Average Google Price Target $1,346". Forbes.
  24. "Currents: Have Meaningful Discussions at Work | G Suite". gsuite.google.com. Retrieved 12 May 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.