Google discovered a software bug that exposed private data on hundreds of thousands of users, and decided not to inform the public. Here’s our story:
on.wsj.com/2ON4dsq

Several questions are still unanswered...

How many people did this impact?

Google investigators ran tests over 2 weeks and found up to 496,951 users could be affected. However, that was just 2 weeks. The bug went unfixed for over 2 years. Over the full period, the actual number of affected users could be much higher.

Why won’t Google tell individuals if their personal data was at risk?

Because Google kept limited activity logs, it couldn’t determine which users may have actually had data taken. But it’s unclear why Google refuses to notify the 496,951 users they believe were at risk.

What caused the malfunction?

Google designed APIs to let outside developers collect Google+ profile data of you and your friends, but it wasn’t supposed to collect non-public friend data. Company says it's a “bug” but hasn't gone into specifics on how it went unnoticed so long

How thoroughly did Google investigate the possible misuse of data?

Google estimated 438 apps had access to user data. The company tested these apps but did not call or visit with any of the developers, sources say.

Did Google have any obligations to disclose this incident to the public?

Companies may be liable to notify users of a data breach if they know certain types of data was accessed. Because Google didn’t know what data was accessed, it’s unclear what laws may apply.