In a blog post published on Monday night, Google revealed that over 500,000 Google Plus user accounts had their data compromised, and a report in the Wall Street Journal says that the company chose not to disclose this fearing regulatory scrutiny. Google says it discovered and fixed the issue in March this year, as part of a security exercise called Project Strobe. An error in the site's code gave third-parties access to private profile data of users between 2015 and March 2018, through the use of third-party apps on the social network.
In some ways, this is similar to the Cambridge Analytica breach that occurred on Facebook, as third-party apps could collect data not just about users who signed up, but also personal data about their contacts. In its post, Google said there are significant challenges in maintaining Google Plus and as a response, the search giant will now shut down its social network.
According to Google, the private data being leaked is from the profile fields, such as name, email ID, occupation, gender and age. Any posts you make are not being shared, although given that most Google Plus users weren't spending more than five seconds in a session, there wasn't much additional data to take anyway.
Google also claims that while this weakness had been exposed for nearly three years, there has been no evidence that any developer was making use of this bug, or that any user data was misused as a result of this bug. It has also said that it will give users more detailed controls over the access that's granted to apps so that people can make more informed choices about their privacy and security. It's also tweaking the way certain security permissions are handled in Android to limit how permissions can work—so, for example, even if you give an app SMS access so that it can read OTPs for verification, personal messages shared between contacts will remain off-limits.
The shutdown of Google Plus will take ten months to complete, so if you have a profile, there's still time to retrieve any data you want to, before the network becomes unavailable.