Affected data included Google+ profile information like names, email addresses, occupations, gender and age information, but no personal messages, according to the company, which added that it didn't find any evidence that any developer actually exploited the bug to access any of this information.
"What's most concerning here is that Google did not feel the need to disclose the breach, and today's privacy laws don't require it", Theresa Payton, a former Chief Information Officer at the White House and Chief Executive of security firm Fortalice, tells Barron's. The lawsuit was blocked in the High Court on Monday.
The report alleges that the bug became active in 2015, only being discovered by Google and shut down in March of this year.
That's the stunning revelation in a new report in The Wall Street Journal.
"The consumer version of Google+ now has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds", said Google, which is headquartered in Mountain View in northern California, Xinhua reported.
Google+ was launched in 2011, quickly becoming known as a failed attempt to compete with Facebook. Gmail add-on access will also be restricted to a small number of developers as part of the moves.
Despite that, the company plans to keep Google+ operational as an enterprise product, allowing companies to use it as an internal communication platform for employees.
The leaked memo says that while there is no evidence that outside developers misused any data, there is still no way to know for sure.
Google is also said to working on improving security elsewhere, including restricting developer access to things such as SMS, call logs, and contact data on Android and add-ons for Gmail.
Following news of the exposure this week, Google issued a statement claiming they did not notify the public because there was no "evidence of misuse".
The company said it will give consumers more control over what data apps can access.
"The Data Protection Commission was not aware of this issue and we now need to better understand the details of the breach, including the nature, impact and risk to individuals and we will be seeking information on these issues from Google", the regulator said.