Google Data Breach: What You Need to Know

Google Data Breach: What You Need to Know article image.

Google announced on Oct. 8 that it's shutting down Google Plus, the social network that was aimed at competing with Facebook. The decision came in response to Google uncovering a security vulnerability in March 2018 that potentially exposed the private information of up to 500,000 Google Plus users.

What Happened in the Google Breach?

Google initiated a security audit at the beginning of 2018 to review what data third-party app developers had access to via Google accounts. As a result, the company found that between 2015 and March 2018, outside app developers, could have potentially accessed private Google Plus user profile data, due to a software glitch in the site.

How Did the Glitch Work?

When users signed up for a Google Plus profile, they could include personal data like their name, occupation, gender, email address and more. Users could also mark certain data private or only viewable to certain friends.

Users could grant access to their profile data through third-party Google Plus apps. These apps are allowed to use coding links known as application programming interfaces, or APIs, to access profile data, but they are not supposed to be able to view private information. However, thanks to the coding glitch, up to 438 applications made by outside companies may have been able to access private personal data.

Google fixed the security flaw when it was discovered in March 2018.

What Data Was Exposed?

Google said that outside developers could have seen names, email addresses, occupations, genders, and ages. But, phone numbers, messages, Google Plus posts or data from other Google accounts were not exposed, according to Google. The company said in a statement that it "found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused."

However, Google could not confirm which users were actually affected by the security flaw because Google only keeps API log data for two weeks. According to its own analysis, Google suspects that up to 500,000 Google Plus accounts may have been affected.

What Is Google Doing Now?

While Google has fixed the coding glitch, it is "sunsetting" the consumer version of Google Plus and will complete the shutdown by August 2019. Users will be offered information over the coming months on how to download and save their Google Plus data.

Google is also working on developing additional controls and updating policies for its APIs. The company will also create more granular Google account permissions for users. "When an app prompts you for access to your Google account data, we always require that you see what data it has asked for, and you must grant it explicit permission," the company said. Apps will be required to show you each requested permission individually.

What Should I Do to Protect Myself?

Though you can't know if your specific Google Plus account was affected, this is a good time to make sure the security on all your Google accounts, like Gmail, Google Drive and more, is as strong as possible. Make sure you have a secure password in place and enable 2-Step Verification on your Google accounts.

If you want to delete your Google Plus account now, you can do so by opening your Gmail and clicking the "Google Apps" icon in the top right corner. There, choose "Google+." Next, click "Settings" on the left-hand side of Google Plus, at the bottom of the Settings page, you have the option to "Delete Your Google+ Profile."

How Can I Safeguard My Identity Going Forward?

In a digital world, data breaches have become par for the course. However, there are some things you can do to secure your identity as much as possible.

1. Watch out for Online Scams

Be especially aware of phishing scams. That's when fraudsters will use information about you, like your name or occupation (information that may have been accessed in the Google breach) to get you to divulge other personal data through email or text, or install malware onto your phone or computer. Never click on links in email or text asking you to divulge personal information.

2. Consider a Free Fraud Alert

If you're worried that you are a victim of identity theft, consider filing a free fraud alert on your credit file that remains active for one year through the Experian fraud center. (File it with one credit bureau and you're good to go because the bureaus will share such alerts with the other credit bureaus.) The fraud alert notifies lenders pulling your credit report to take extra steps to verify your identity.

3. Monitor Your Identity

It's always smart to monitor your identity and credit to make sure no one is accessing your data without your permission. Check your free Experian credit report for errors or suspicious account, and run a free dark web scan to find out if information like your Social Security number or email addresses are on the dark web.

You can freeze your credit reports, which prevents lenders from issuing new credit in your name altogether. Or try Experian CreditLock, a benefit of your Experian membership, which allows you to lock and unlock your report in real time, with no waiting period. You also receive daily monitoring of your credit file, up to $1 million in identity theft insurance, and access to your Experian credit report and FICO® Score .