So, I couldn't understand what "exposed" means in that article. Was any user's data obtained by someone not authorized to do so, or merely access to the data was possible?
> We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API. We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
Just possible. Similarly, the recent FB hack didn't actually penetrate 50 million accounts -- that was just an upper bound estimate based how many accounts were "exposed to the risk" of being compromised, probably because they were noted as being touched by the buggy "view as" function.
Update: It looks like on October 2nd, Facebook clarified that 50 million users actually had their login credentials stolen, and an additional 40 million were unconfirmed but known to have been touched by the buggy "view as" feature:
mkeyhani|7 years ago
> We made Google+ with privacy in mind and therefore keep this API’s log data for only two weeks. That means we cannot confirm which users were impacted by this bug. However, we ran a detailed analysis over the two weeks prior to patching the bug, and from that analysis, the Profiles of up to 500,000 Google+ accounts were potentially affected. Our analysis showed that up to 438 applications may have used this API. We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
https://www.blog.google/technology/safety-security/project-s...
cxseven|7 years ago
cxseven|7 years ago
https://newsroom.fb.com/news/2018/10/facebook-login-update/