Emerging Threats

Google+ exposed data of hundreds of thousands of users—here’s what you need to know

A software vulnerability in the Google+ site gave third-party developers potential access to users’ private Google+ profile information for more than three years.

Google ran tests to determine the impact of the vulnerability and found 496,951 users who had shared private profile data with a friend could have had data accessed by an outside developer, according to published reports.

If you have a Google+ profile, here’s the information that may have been exposed:

  • Full names
  • Email addresses
  • Birth dates
  • Gender
  • Profile photos
  • Places lived
  • Occupation
  • Relationship status

Google says there is no evidence that any data has been misused, at the time of this writing. Since Google+ stores a limited set of activity logs, it is unable to determine the profiles that were affected.

Here’s the history. The exposure began in 2015. When a user gave permission to an app to access their public profile data, the vulnerability allowed the app developers to access the non-public information of the users and their friends on Google+.

Is my Google+ account compromised?

Google said there is no evidence of data misuse. The company is unable to determine which users were affected. That’s because it keeps a limited set of activity logs. At this writing, it’s unclear whether more users may have been affected.

What is Google doing about it?

In response to this incident, Google has decided to shut down the consumer facing Google+ for 10 months. Users can export their data during this time.

On October 8, 2018, Google said it plans to stop letting outside developers gain access to SMS messaging data, call log data, and some forms of contact data on Android phones. Only a limited number of developers will be allowed to build add-ons in Gmail.

According to The Wall Street Journal, Project Strobe is a privacy task force within Google. It has been conducting a companywide audit of the company’s application programming interfaces. APIs are public channels that make Google users’ data available to outside developers. They require users’ permission to access any information. As in the case of Google+, it appears that they were misused, The Wall Street Journal has reported.

What information could have been compromised in the Google+ incident?

Information that could have been potentially exposed includes full names, email addresses, places lived, occupation, and relationship status.

Phone numbers, email messages, timeline posts, and direct messages probably were not exposed.

What can a hacker do with compromised information?

Cybercriminals can sell personal information on the dark web. Information like full names, email addresses, and addresses can have substantial value.

Cybercriminals can purchase this information and launch social engineering and phishing scams to try to trick people into disclosing their personally identifiable information, also known as PII. This may include sending a fraudulent email that may seem to come from a close friend asking for money or other private information. Cybercriminals can send malware or viruses that mine your devices for information, which is then sent to a remote computer.

In the case of large data breaches, cybercriminals could use exposed personal information to commit crimes like identity theft or ransomware attacks.

Cyberthieves could even use your private information to potentially answer password hint questions and gain access to your accounts. They could then access your bank accounts, apply for credit cards in your name, file tax returns using your personal information, or commit other crimes.

That’s why it’s important to help make sure your personal information is safe.

How do I protect myself against data breaches?

No one can prevent a data breach, but you can take steps to help safeguard your accounts and personal information, and to maintain your sense of online privacy. Think cyber safety. Cybercriminals want access to your devices, your personal data, your identity, your online privacy, and your home network because they’re all connected.

It’s a good idea to have a protection plan that helps safeguard your devices. Norton is one way to help protect your connected life.

 

No one can prevent all identity theft or cybercrime.
LifeLock does not monitor all transactions at all businesses.


Disclaimers and references:
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone and iPad are trademarks of Apple Inc. Microsoft and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.