But the company did not disclose the vulnerability when it fixed it in March because the company didn't want to invite regulatory scrutiny from lawmakers, according to a report Monday by the Wall Street Journal.
The Wall Street Journal says it reviewed an internal memo circulated among Google's legal staff and senior executives that warned of "immediate regulatory interest" and public comparisons to Facebook's user information leak to Cambridge Analytica should the mistake become public. "We will share more information in the coming days".
Google says it hasn't found any evidence that developers were aware of the bug, so it's unlikely that anyone abused it.
Up to 438 apps may have used the offending Google+ People API, and the profiles of up to 500,000 Google+ accounts were potentially affected, according to Google.
The exposure was the result of a flaw in programming interfaces Google made available to developers of applications that interacted with users' Google+ profiles, Google officials said in a post published after the WSJ report.
Google started an internal project called Strobe in the beginning of 2018 that looked at "third-party developer access to Google account and Android device data" and "privacy controls, platforms where users were not engaging" with APIs due to privacy concerns and other areas where Google policies "should be tightened".
Google also said the consumer version of Google+ had low usage and engagement and 90% of user sessions are less than five seconds long, essentially trashing its own product to cover up.
Last month, Google Chief Privacy Officer Keith Enright - alongside representatives from other tech and telecom giants including Apple, Amazon and AT&T - testified before the Senate on privacy practices in Silicon Valley.
"Going forward, consumers will get more fine-grained control over what account data they choose to share with each app", Google said.
It plans to shutdown Google+ for consumers over the course of the next 10 months, with the platform officially retiring in August 2019. However, Google contends that there's no evidence that profile data was misused. As you can see from the above screenshots, instead of just offering a master "Allow" button that gives the third-party access to various items, the new permission box will be more granular, details each data type at length, and provide users with the ability to allow or deny each thing. "None of these thresholds were met in this instance", the company said.
Google followed suit, letting outside developers access some Google+ data with users' permission.
A spokeswoman for Google said that whenever user data may have been affected it determines whether to tell people based on a number of criteria.