Another Google+ data bug exposes info for 52.5 million users
The second data leak in three months for Google+ has sealed its fate.
According to Terry Ray, CTO of Imperva, “It’s been a bad couple months to be Google. The good news is that Google identified the vulnerabilities themselves, which isn’t always the case, and executives are accelerating actions to protect their users’ data from further exposure, now deciding to sunset Google+ four months earlier than originally planned. To quickly define exposure, it means a door was left open, but as far as the company can tell, no one went in and nothing was taken. In this second exposure, Google believes that no records were stolen and the vulnerability has been patched, noting that this is a proactive public announcement.
Several of these proactive exposure announcements have occurred recently, so this may be the beginning of a trend. It seems companies have begun letting users know about exposures, whether in the hopes of some goodwill if something is found to be stolen and/or in the hopes that users will review their account statements and be extra vigilant when vetting e-mail and other communications against scammers.
Google’s CEO Sundar Pichai will likely have to answer some tough questions on the hill tomorrow—especially since the first data exposure was originally not going to be disclosed to users. However, it’s good to see the company is taking this issue seriously and is learning from previous mistakes.”
The bug was in Google’s application programming interfaces, or APIs, which can provide a direct gateway to sensitive customer info without checking who is accessing the data. This type of threat is a growing concern for businesses because applications are critical to doing business across industries. As we’ve seen over the last year of breaches, APIs are particularly vulnerable to third-party application security coding errors. Web applications have been quickly growing more complex as users and companies demand more from their online, mobile and connected device experiences. I fully expect to see more around API exposures and breaches as this complexity grows.