In the post, Google announced it was closing down the service after the Wall Street Journal revealed the company had known about the bug, which affected all Google+ users, since March this year.
The company said it didn't report the breach partly due to fears of regulatory scrutiny.
Google ran an internal test and found that as many as 496,951 users may have had their data compromised, according to the Wall Street Journal. Unlike in the European Union, where data breach notices are mandatory within three days of the event due to laws such as the recently passed GDPR, the USA doesn't yet have federal laws regulating data breach notices. "None of these thresholds were met in this instance", the company said.
Google told WSJ that it came to the conclusion not to disclose the issue based on several factors, including whether the company could accurately identify the impacted users, whether there was any evidence of misuse and whether there was any action the users could have taken.
A flaw was discovered in March that exposed personal information of up to 500,000 people.
The company did a review of its third party developer access to Google accounts and Android device data and found a bug in the Google + People APIs.
The consumer version was found to have low usage and engagement, with 90 percent of Google+ user sessions lasting fewer than five seconds, according to the firm. Google was afraid it, too, would become the center of attention following Facebook's Cambridge Analytica scandal, and as such chose not to disclose the information to its users. "Ultimately it will be up to users to proactively monitor how their data is used and what applications have access to that data by using strong passwords and carefully reviewing access requests prior to using an app like Google+", she added.
All these changes are happening in the coming months, giving users more control over their own data.
Google is also said to working on improving security elsewhere, including restricting developer access to things such as SMS, call logs, and contact data on Android and add-ons for Gmail. (See the full list on our developer site.) It does not include any other data you may have posted or connected to Google+ or any other service, like Google+ posts, messages, Google account data, phone numbers or G Suite content.