Bug Affected 52.5 Million Users in Connection with a Google+ API
(Dec 11, 2018)
Following a software update in the Google+ API in November 2018, the software had a new flaw that enabled applications to view 52.5 million Google+ users' profile information regardless of whether it was set to "public" or "private." Information that was accessible by unauthorised users and applications include age, email address, name, and occupation, amongst others. Google fixed the issue within a week of discovering the breach, and is investigating whether or not users' financial data, passwords, and other sensitive material were exposed due to this flaw. Google is in the process of notifying affected customers, and has announced that they will be accelerating the retirement of Google+ four months earlier than initially stated and are now pushing the retirement date to April 2019.
Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, misconfigured APIs can cause leaks and unauthorised access by third-parties of sensitive information, which could be used for malicious activity, and cause significant harm to a company's reputation.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.