Following a massive data exposure first reported on by The Wall Street Journal, Google announced today that it is shutting down its social network Google+ for consumers. While data was exposed, there is no evidence that it was improperly accessed. The company finally admitted that Google+ never received the broad adoption or engagement with users that it had hoped for -- according to a blog post, 90 percent of Google+ user sessions last for less than five seconds. In light of these newly revealed security concerns with Google+'s API, the company has opted to put it out of its misery over the next ten months rather than try and make the social network more secure.
The company discovered a bug in one of Google+'s People APIs that allowed apps access to data from Google+ profiles that weren't marked as public. It included static data fields such as name, email, occupation, gender and age. It did not include information from Google+ posts. The bug was patched in March 2018, but Google didn't inform users at that point. "We made Google+ with privacy in mind and therefore keep this API's log data for only two weeks," the company said in a blog post. "That means we cannot confirm which users were impacted by this bug."
However, Google+ will continue as a product for Enterprise users. It's by far the most popular use of the social network. Therefore, the company has made the decision that Google+ is better suited as an internal social network for companies, rather than a consumer product. Google will announce new Enterprise-focused products for Google+ in the near future.
The decision is a part of Project Strobe, which is Google's internal investigation into third-party developer account access to Google and Android products. It takes a close look at security controls, as well as low user engagement that are likely due to privacy concerns. The goal is to identify areas where privacy controls should be tightened.
Update, October 15, 2:00 PM ET: This article was updated to reflect that, while personal data was exposed, there is no evidence anyone improperly accessed it.