Google exposed personal data of almost 500,000 and didn't disclose it

A bug in Google+ exposed the personal data of nearly 500,000 people and Google chose not to disclose it out of fears of regulatory pressure.

That's the stunning revelation in a new report from The Wall Street Journal.

The bug, which went undiscovered from 2015 until March of this year, according to The WSJ, allowed developers to access personal data from the connections of people who had installed their app, even if those people didn't give permission for their information to be accessed.

Upon discovering the bug, Google patched it, but opted not to disclose it to the public out of fear of regulatory pressure and unfavorable comparisons to Facebook's Cambridge Analytica privacy scandal.

As many as 438 developers "may have used" the API in question, which could potentially impact up to 500,000 people, according to Google. But Google says it has no way of confirming these numbers or which users may have had their data exposed improperly.

The incident marks the beginning of the end for Google+, which the company plans to shut down over the next year. The service, which launched in 2011 out of fears of Facebook's dominance, was badly mismanaged and never gained the acclaim the search giant had hoped for. In recent years, Google+ has remained a popular destination for some niche communities, but, more often than not, has served as a punchline -- the reminder of a very public (and expensive) misstep for the search giant.

Writing in a blog post Monday, Google attempted to downplay the bug, saying it hasn't found any signs that it had been exploited.

"Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response. None of these thresholds were met in this instance," the company said.

Google also noted that the data that was exposed was limited to "optional Google+ Profile fields including name, email address, occupation, gender and age." Users' private messages were not affected, according to the company.

The decision to not alert users was made after company officials wrote a memo concluding Google wasn't legally obligated to disclose the bug, and that there would be no point in telling users since the company had no way to confirm who was affected, according to The WSJ.

While Google is trying to downplay the significance of the incident, it's likely to have bigger repercussions for the company. Its decision not to disclose the bug will likely invite the extra scrutiny it had hoped to avoid.

It also comes just weeks after a separate report in The Wall Street Journal detailed how the developers of some third-party apps are able to read users' Gmail, a policy that has been criticized by security experts.

On Monday, Google also announced sweeping changes to the policies that govern third-party apps. Users will have more control over the data requested by Gmail apps, Google said, and the company will restrict the types of services that are able to access Gmail to "only apps directly enhancing email functionality."

On Android, Google will place limits on which apps are able to view a users' call logs and SMS data to further rein in developer access to sensitive information.