The flaw meant some Google profile information that users had thought was private, such as a person’s email address, occupation, gender or age, could have been viewed by third parties, the company said in a post on a corporate blog.
Though Google found the vulnerability seven months ago, it did not tell the public at the time.
The company said that was because it could not accurately identify which users to inform, whether there was any misuse or whether there were any actions a developer or user could take in response.
The Wall Street Journal reported that Google’s legal and policy staff also prepared a memo warning that disclosing the incident would likely trigger “immediate regulatory interest” and invite comparisons to Facebook’s leak of user information to data firm Cambridge Analytica.
Google did not immediately respond to a request for comment on the report.
The security flaw will mean the end of Google+ for consumers, the company said. Google launched the service in 2011 as a challenge to Facebook but noted in its blog post on Monday that Google “has not achieved broad consumer or developer adoption.”
“The consumer version of Google+ currently has low usage and engagement: 90 percent of Google user sessions are less than five seconds,” the company said.
Low usage combined with the security challenges mean Google will wind down Google+ over the next 10 months, although it will continue to provide the service to businesses.
Google said it launched an effort at the beginning of the year called Project Strobe designed to review how other apps connect to Google +’s services, and that it was making other changes as a result. It said it would add “more granular” screens for granting permission to access data, and was adding new limits to the data that third-party apps can use.