Google is going to shut down its social media network Google+ after the company suffered a massive data breach that exposed the private data of hundreds of thousands of Google Plus users to third-party developers.

According to the tech giant, a security vulnerability in one of Google+'s People APIs allowed third-party developers to access data for more than 500,000 users, including their usernames, email addresses, occupation, date of birth, profile photos, and gender-related information.

Since Google+ servers do not keep API logs for more than two weeks, the company cannot confirm the number of users impacted by the vulnerability.

However, Google assured its users that the company found no evidence that any developer was aware of this bug, or that the profile data was misused by any of the 438 developers that could have had access.

"However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API," Google said in blog post published today.

The vulnerability was open since 2015 and fixed after Google discovered it in March 2018, but the company chose not to disclose the breach to the public—at the time when Facebook was being roasted for Cambridge Analytica scandal.

Though Google has not revealed the technical details of the security vulnerability, the nature of the flaw seems to be something very similar to Facebook API flaw that recently allowed unauthorized developers to access private data from Facebook users.

Besides admitting the security breach, Google also announced that the company is shutting down its social media network, acknowledging that Google+ failed to gain broad adoption or significant traction with consumers.

"The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds," Google said.

In response, the company has decided to shut down Google+ for consumers by the end of August 2019. However, Google+ will continue as a product for Enterprise users.

Google Introduces New Privacy Controls Over Third-Party App Permissions

As part of its "Project Strobe," Google engineers also reviewed third-party developer access to Google account and Android device data; and has accordingly now introduced some new privacy controls.

When a third-party app prompts users for access to their Google account data, clicking "Allow" button approves all requested permissions at once, leaving an opportunity for malicious apps to trick users into giving away powerful permissions.

A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state.

According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon.

The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.

The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon.

A media report today revealed details of a significant supply chain attack which appears to be one of the largest corporate espionage and hardware hacking programs from a nation-state.

According to a lengthy report published today by Bloomberg, a tiny surveillance chip, not much bigger than a grain of rice, has been found hidden in the servers used by nearly 30 American companies, including Apple and Amazon.

The malicious chips, which were not part of the original server motherboards designed by the U.S-based company Super Micro, had been inserted during the manufacturing process in China.

The report, based on a 3-year-long top-secret investigation in the United States, claims that the Chinese government-affiliated groups managed to infiltrate the supply chain to install tiny surveillance chips to motherboards which ended up in servers deployed by U.S. military, U.S. intelligence agencies, and many U.S. companies like Apple and Amazon.

"Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches," the report said.

The publication claims that Apple and Amazon found these chips on their server motherboards in 2015 and reported it to US authorities, though both Apple and Amazon strongly refute the claims.

Apple, Amazon, and Super Micro Refute the Bloomberg Report

Apple told Bloomberg that the company has never found malicious chips, "hardware manipulations," or vulnerabilities purposely planted in any of its servers, or it "had any contact with the FBI or any other agency about such an incident."

Apple ended its relationship with Super Micro in 2016. To its best guess, Apple said that the Bloomberg reporters confused their story with a previously-reported 2016 incident in which the company found an infected driver on a single Super Micro server in one of its labs.

"While there has been no claim that customer data was involved, we take these allegations seriously, and we want users to know that we do everything possible to safeguard the personal information they entrust to us," Apple says. "We also want them to know that what Bloomberg is reporting about Apple is inaccurate."

Amazon also says it is "untrue" that the company knew of "a supply chain compromise," or "servers containing malicious chips or modifications in data centers based in China," or that it "worked with the FBI to investigate or provide data about malicious hardware."

Meanwhile, Supermicro and Chinese Ministry of Foreign Affairs have also strongly denied Bloomberg's findings by releasing lengthy statements. Here you can find a full list of official statements from Amazon, Apple, Supermicro and Chinese Ministry of Foreign Affairs.

Description

On Friday, Facebook announced that they faced yet another data breach which led to the exposure of as many as 50 million accounts. The attackers managed to grab hold of the tokens of accounts through ‘View As’ feature of the social media platform.

The Wall Street Journal has reported that Ireland’s Data Protection Commission, the leading entity that looks over Facebook for the European Union, has asked for more information pertaining to the hack. The Commission has demanded information about the nature and scale of the breach to verify whether the data breach has violated GDPR laws.

General Data Protection Regulation (GDPR) is a set of strict laws that came into effect in May to ensure that European residents are not affected by the mishandling of data by the companies.
A company that is not able to protect the data of the users is liable to face a maximum fine of €20 million ($23 million), or 4% of the company’s global annual revenue from the prior year, whichever amount is larger.

Additionally, since Facebook failed to notify the regulators about the attack within the 3 days of the breach, they could also face a potential fine of 2% of their global revenue.
Personal information of 50 million accounts has been compromised according to Facebook, and they have taken the necessary steps to protect any further attack through the same mechanism. Surprisingly, Mark Zuckerberg and Sheryl Sandberg, Facebook’s COO were also affected by the attack.


It remains to be seen whether the fine will be levied on Facebook or not.