The Google+ vulnerability was discovered at a time that nearly coincided with the notorious privacy leakage scandal of the world's largest social media network Facebook, which has been widely criticized for its failure to protect its users' private data.
Google opted not to disclose the issue partly due to fears of regulatory scrutiny, the Wall Street Journal reported, citing unnamed sources and internal documents.
The decision to not alert users was made after company officials wrote a memo concluding Google wasn't legally obligated to disclose the bug, and that there would be no point in telling users since the company had no way to confirm who was affected, according to The WSJ.
Almost 500,000 members of the Google+ social networking site had their user profile data left out in the open, easily accessible to third-party developers for over two years.
Googlesaid that only Gmail add-on developers that pass security audits will be allowed to continue accessing users' Gmail accounts, while "most" third-party Android developers will no longer receive access to users' SMS messages, call logs and some additional forms of contact data on Android devices.
The issue apparently came about when a user granted permission to an app, allowing it to access their public data.
Google said it hasn't yet found any evidence that the data obtained as a result of the bug was misused. The bug appears to have been active between 2015 and 2018.
Ortega said such delays in reporting data leaks could become more common among technology companies as they looked to protect their reputation in the wake of legislation and privacy laws.
Even if you, like many, haven't used your Google+ account, it could still be at risk. "Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice". By doing this, it hopes to make users of Google's apps confident that their data is secure.
Google launched the service in 2011 as a challenge to Facebook but noted in its blog post on Monday that Google "has not achieved broad consumer or developer adoption".
The shutdown of Google+ won't happen immediately but will instead be a "wind-down" that ends in August 2019. In a blog post by the company highlighting its findings, it's stated that 90 percent of all Google+ visits last fewer than five seconds.