Google+ exposed data of hundreds of thousands of users—here’s what you need to know

496,951 Google+ users’ full names, birth dates, gender, profile photos, addresses, occupation and relationship status were exposed.


A software vulnerability in the Google+ site gave third-party developers potential access to users’ private Google+ profile information for more than three years.

Google ran tests to determine the impact of the vulnerability and found 496,951 users who had shared private profile data with a friend could have had data accessed by an outside developer, according to published reports.

If you have a Google+ profile, here’s the information that may have been exposed:

  • Full names
  • Email addresses
  • Birth dates
  • Gender
  • Profile photos
  • Places lived
  • Occupation
  • Relationship status

Google says there is no evidence that any data has been misused, at the time of this writing. Since Google+ stores a limited set of activity logs, it is unable to determine the profiles that were affected.

Here’s the history. The exposure began in 2015. When a user gave permission to an app to access their public profile data, the vulnerability allowed the app developers to access the non-public information of the users and their friends on Google+.

Is my Google+ account compromised?

Google said there is no evidence of data misuse. The company is unable to determine which users were affected. That’s because it keeps a limited set of activity logs. At this writing, it’s unclear whether more users may have been affected.

What is Google doing about it?

In response to this incident, Google has decided to shut down the consumer facing Google+ for 10 months. Users can export their data during this time.

On October 8, 2018, Google said it plans to stop letting outside developers gain access to SMS messaging data, call log data, and some forms of contact data on Android phones. Only a limited number of developers will be allowed to build add-ons in Gmail.

According to The Wall Street Journal, Project Strobe is a privacy task force within Google. It has been conducting a companywide audit of the company’s application programming interfaces. APIs are public channels that make Google users’ data available to outside developers. They require users’ permission to access any information. As in the case of Google+, it appears that they were misused, The Wall Street Journal has reported.

What information could have been compromised in the Google+ incident?

Information that could have been potentially exposed includes full names, email addresses, places lived, occupation, and relationship status.

Phone numbers, email messages, timeline posts, and direct messages probably were not exposed.

What can a hacker do with compromised information?

Cybercriminals can sell personal information on the dark web. Information like full names, email addresses, and addresses can have substantial value.

Cybercriminals can purchase this information and launch social engineering and phishing scams to try to trick people into disclosing their personally identifiable information, also known as PII. This may include sending a fraudulent email that may seem to come from a close friend asking for money or other private information. Cybercriminals can send malware or viruses that mine your devices for information, which is then sent to a remote computer.

In the case of large data breaches, cybercriminals could use exposed personal information to commit crimes like identity theft or ransomware attacks.

Cyberthieves could even use your private information to potentially answer password hint questions and gain access to your accounts. They could then access your bank accounts, apply for credit cards in your name, file tax returns using your personal information, or commit other crimes.

That’s why it’s important to help make sure your personal information is safe.

How do I protect myself against data breaches?

No one can prevent a data breach, but you can take steps to help safeguard your accounts and personal information, and to maintain your sense of online privacy. Think cyber safety. Cybercriminals want access to your devices, your personal data, your identity, your online privacy, and your home network because they’re all connected.

It’s a good idea to have a protection plan that helps safeguard your devices. Norton is one way to help protect your connected life.

No one can prevent all identity theft or cybercrime.
LifeLock does not monitor all transactions at all businesses.

Norton logo
  • Norton
Norton empowers people and families around the world to feel safer in their digital lives

Editorial note: Our articles provide educational information for you. Our offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about Cyber Safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses. The Norton and LifeLock brands are part of Gen Digital Inc. 


    Want more?

    Follow us for all the latest news, tips and updates.