More than 500,000 Google+ users could have had their names, email addresses, occupation, gender and age compromised. Google+ posts, messages, phone numbers or G Suite data were not compromised, the company said.
The data was exposed to more than 400 third-party users.
“We found no evidence that any developer was aware of this bug, or abusing the API and we found no evidence that any profile data was misused,” Ben Smith, Google’s vice president of engineering, wrote in a blog.
Beyond the security problems, Google acknowledged in the post Monday its social media network never achieved widespread adoption like Twitter and Facebook.
“The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds,” Smith said.
Google found the bug while reviewing third-party access to Google account and Android device data.
Google plans to limit which Android apps are allowed to ask for permission to access text and call log data.