Slashdot Mirror

← Back to Stories (view on slashdot.org)

At Least Two US Attorneys General Are Investigating Google+ Breach (reuters.com)

Posted by msmash on from the due-diligence dept.

At least two U.S. states are investigating a breach at Alphabet's Google that may have exposed private profile data of at least 500,000 users to hundreds of external developers. From a report: The investigation follows Google's announcement on Monday that it would shut down the consumer version of its social network Google+ and tighten its data-sharing policies after a "bug" potentially exposed user data that included names, email addresses, occupations, genders and ages. "We are aware of public reporting on this matter and are currently undertaking efforts to gain an understanding of the nature and cause of the intrusion, whether sensitive information was exposed, and what steps are being taken or called for to prevent similar intrusions in the future," Jaclyn Severance, a spokeswoman for Connecticut Attorney General George Jepsen, told Reuters in an email. The New York Attorney General's office also said it was looking into the breach.

34 comments

  1. More like Google- by Anonymous Coward · · Score: 0

    company motto: donâ(TM)t tell the truth

  2. What laws (if any) were broken? by Anonymous Coward · · Score: 0

    Between the EULA, and court precedent that companies are not responsible for damages if there is a breach, I don't see how anything is going to happen to Google. Google did all they can, and no security is good enough these days; the quality of weapons far outstrip the armor available.

    1. Re:What laws (if any) were broken? by Narcocide · · Score: 1

      I'm pretty sure that even if the terms of service clearly states "We can stalk and harrass you, steal your identity and sign up for credit cards in your name, sell your identity to organized crime so they can sign up for credit cards in your name too, then use the stolen money to buy property and life insurance abroad, then defraud that life insurance by faking your death." it is still illegal.

    2. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      The fuck they did all they can. They're greedy and arrogant and rush things all the time without the proper precautions. They don't HAVE to be this way. They could do much more, but instead they behave just like the banks. They do the bare minimum, if that.

    3. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      Lets be real here. Is a developer going to actually care about security versus getting deliverables in on time? A lawsuit won't affect the dev, because there are many, many layers of company divisions and bureaucracy separating that dev from a suing customer. However, not getting deliverables on a sprint means the dev's job gets outsourced, since an offshore development company can work for pennies on the dollar that is paid to an onsite dev.

      The answer: They won't.

    4. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      Considering the two AGs in question are from New York and Connecticut, presumably the answer is "being successful" and "allowing too many conservatives to use your platform."

      But seriously, a lot of blue states passed laws requiring notifications of "data breaches." It's unclear why they think they can enforce them across state lines and why they think they get to trump the Commerce Clause for something that clearly falls with in federal jurisdiction, but again, we're talking blue states. The Constitution has never mattered to them.

    5. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      Word. If you can't be bothered to take the time to build something secure, you hardly deserve to continue making money hand over fist for your laziness. Big payday requires big effort.

    6. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      That's you're not suing the developer, Einstein, you're suing the company. So next time the deliverables will include security.

    7. Re:What laws (if any) were broken? by jpaine619 · · Score: 1

      What the fuck? Federal laws says you MUST disclose data breaches.. Nothing in a EULA can override federal (or state) law.. End of story..

    8. Re:What laws (if any) were broken? by jpaine619 · · Score: 1

      It's unclear why they think they can enforce them across state lines

      Playing Devil's advocate here, but if the company has a physical presence and a customer in the same state, the commerce clause doesn't apply.

      The commerce clause also doesn't prevent states from having regulations when you do business there.. Even if you are headquartered elsewhere..

      I don't know if Google has an actual presence in the two states in question, but if they do...

    9. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      Despite the misleading headline and summary, there was likely no breach. Data was exposed and could have been stolen, but there is no evidence that it actually was. No breach; no obligation to report.

    10. Re:What laws (if any) were broken? by Anonymous Coward · · Score: 0

      Despite the misleading headline and summary, there was likely no breach. Data was exposed and could have been stolen, but there is no evidence that it actually was. No breach; no obligation to report.

      There's no evidence because Google waited until their 6-month log retention period expired to report the problem.

    11. Re: What laws (if any) were broken? by brunes69 · · Score: 1

      There was no breach. Bad reporting.

  3. New Motto: by forkfail · · Score: 3, Insightful

    Report No Evil.

    --
    Check your premises.
    1. Re:New Motto: by Aighearach · · Score: 1

      Ireland doesn't sound very happy about it. Perhaps the bigger concern than even New York.

      I wonder if Google makes any money in Ireland?

    2. Re:New Motto: by Anonymous Coward · · Score: 1

      "People just submitted it. I don't know why. They "trust me". Dumb fucks." -Apparently Every Toad in the Valley

    3. Re:New Motto: by Anonymous Coward · · Score: 0

      No, but Apple and Facebook both have offices there...both of whom have had data breaches larger than this (recent facebook breach of "up to" 90,000,000 accounts).

      Google probably didn't record it because they didn't think at the time any data was lost. Not a good excuse mind you but common to most companies. "If nothing broke, pretend it didn't happen".

  4. Hopefully next by Anonymous Coward · · Score: 0

    Will be the US DOJ investigating Google..

  5. Class Action... by Oswald+McWeany · · Score: 1

    Class Action time. Give me money or give me... well, I don't care- $100million lawsuit would probably result in me getting 20 cents out of it. Actually- it would result in a fictitious Turkmenistani Harvard grad getting 20 cents out of it.

    --
    "That's the way to do it" - Punch
  6. Karma by Anonymous Coward · · Score: 0

    I hope they find everything that google is trying to hide from the public and exposes it to the world.

  7. Good by Anonymous Coward · · Score: 0

    Search is the only useful thing they've ever built and I could get by fine using something else to fill that gap. Every other thing of theirs I'm familiar with is total garbage. Tried the wifi thing just last night and the ANDROID app crashed so many times I couldn't set it up and had to use my wife's iPhone, so I'll be returning that trash. It's their own OS and they can't even keep their shit together. Embarrassing.

  8. ... after a "bug" ... by CaptainDork · · Score: 1

    Retired IT guy.

    I had bugs now and then. Sometimes the bug would be out of my wheelhouse and I'd call technical support.

    Luckily, I had SLAs that were very good (expensive) and I got direct vendor support.

    Maybe Google has to call their tech support in India?

    Anyway, Google should get the extended warranty on their stuff.

    --
    It little behooves the best of us to comment on the rest of us.
  9. Horse fuck those slimy bastards by Anonymous Coward · · Score: 0

    I truly hope that Google gets horse-fucked, and that sleazy overgrown ad agency loses their "surreptitiously strip mine your privacy and sell out to the Communist Chinese" business model.

    There's a reason why ad agencies are viewed as immoral assholes.

  10. The most surprising bit of that news by MrMr · · Score: 1

    Really, at least 500,000 users of google+? Did they all move over from facebook recently?

  11. Jettison FAILED. by Anonymous Coward · · Score: 0

    Jettison FAILED.

  12. Equifax ... anyone by Pablopelos · · Score: 1

    Whatever happened to the Equifax breach, oh yea, nothing... basically all Americans and a credit bureau ... https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do . Looking into Google for a measly 500K, that most likely did not even get exposed to outsiders, deserves a look into, meanwhile one of the big three credit agencies can keep gathering more and more data and breaching...

    1. Re:Equifax ... anyone by Bruinwar · · Score: 1

      Whatever happened to the Equifax breach, oh yea, nothing... basically all Americans and a credit bureau ... https://www.consumer.ftc.gov/b... . Looking into Google for a measly 500K, that most likely did not even get exposed to outsiders, deserves a look into, meanwhile one of the big three credit agencies can keep gathering more and more data and breaching...

      Equifax: name, address(s), employment history, marital status, likely mother's maiden name, S.S.#, driver's license#, credit history, god knows wtf else.

      Google+: User profile. Mine is quite empty, not even my last name. Not even sure when I last looked at it.

      That's not to say whoever the douch(s) that decided to keep this quiet shouldn't be punished for stupidity. But damn, Equifax... no punishment that I can find.

      --
      SLOWER TRAFFIC KEEP RIGHT
  13. All 19 users data exposed by Anonymous Coward · · Score: 0

    Onion esque coverage

    https://babylonbee.com/news/google-plus-hacked-exposing-data-of-all-19-users

  14. There is a really obvious "why" question to ask. by Wizardess · · Score: 1

    I'm sitting here quietly chewing my cud thinking about this. It bothers me.

    "Aha," says my mind to me, "we see all these big expensive suits brought by New York and other companies back East; and, for some unknown reason see nothing out of California." Is it the crazed denizens of sack-o-tomatoes trying to be delicate dancing around their pet tech companies? Have the tech companies purchased second options on those denizens, who are already wholly owned by the public employees unions?

    Seriously, why does California, which could use a few $billion settlements to fatten its coffers, not indulge in this popular activity of blue states? Or are the denizens of Sack-o-tomatoes just plain lazy?

    {^_^}

  15. Re:There is a really obvious "why" question to ask by Anonymous Coward · · Score: 0

    "we see all these big expensive suits brought by New York and other companies back East; and, for some unknown reason see nothing out of California."

    Nothing was breached. It was exposed. Google left the door unlocked, but there is no evidence that anyone came near the door, let alone entered through it. The California Attorney General probably understands this difference, and why it's important.

  16. NOT A BREACH by brunes69 · · Score: 1

    A vulnerability and a breach ***ARE NOT*** the same thing, at all. The data was exposed, BUT NOT EXPLOITED.

    I have seen the mainstream media male this same mistake on this story over, and over, and over again. I expect a little better from Slashdot.

    1. Re:NOT A BREACH by Anonymous Coward · · Score: 0

      A vulnerability and a breach ***ARE NOT*** the same thing, at all. The data was exposed, BUT NOT EXPLOITED.

      I have seen the mainstream media male this same mistake on this story over, and over, and over again. I expect a little better from Slashdot.

      The breachers have been careful. It's not like the Equifax data "breach" is making us fall over left and right. Absense of evidence is not evidence of absense. Vulnerability is a breach, especially when Google is disengeniously hamstringing logs at 14 days in what can only be a very deliberate accountability decision.

      This late, downplayed Google "disclosure" and sunset shows a most hypocritical attitude towards disclosing vulnerabilities. You'll recall that 6 month mercy period is never given to big players when it's their Project Zero engineers conveniently on the other end of the shaming internet whistles. Google wants to shame big companies, but when it's them behind the vuln, it's not up to them to decide how to dish out merciless penalties by altering the narrative. Turning a blind eye for 3 years in light of the proven increases in identity theft and fraud trends is definitely not the right thing for Google, we the tech audience, the investors and govt regulators and the app-using public at large.

      We haven't heard the rest of the story yet, but it will come out eventually, once the current crop of engineers find the time to come clean as they overcome their current gags.

      * I work at a much smaller tech company and logging is a 30+ day situation, with the long tail extending into a year for AWS-related material. Google is NOT at a level where the log money would be hurting them, so this is negligence at the least.