According to a report from the Wall Street Journal, Google accidentally leaked the private data of hundreds of thousands of Google+ users between 2015 and March of this year. March was when a software bug was fixed that allowed third-party developers to access personal data.
The API flaw allowed third-party app developers to access profile and contact information that chose to sign into the apps via Google. It also provided information for people that you're connected to on the social network, even if that information was marked as private. Up to 496,951 users could have been affected, and up to 438 apps could have accessed the data.
What's probably more interesting to most users is that the advertising giant opted to not disclose the issue. Moreover, Google CEO Sundar Pichai was briefed on the decision to not tell anyone. The reason, as reported by WSJ, is that it wasn't reported "because of fears that doing so would draw regulatory scrutiny and cause reputational damage".
Google's Privacy and Data Protection Office was where the decision was made to not notify users, and the company decided that since it doesn't know which developers have what data, there's really no action that users could take. There was also a memo, however, that said that revealing the issue would cause the company " coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal” and it “almost guarantees Sundar will testify before Congress.”
That's referring to Facebook's similar issues. A Cambridge Analytica researcher had created an app that took advantage of Facebook's policy at the time that provided information of the user's information as well as their friends' information.
Google will be shutting down its Google+ social network due to this, although it was never successful by any means. The report also says that Google will announce a number of changes to its privacy policies today.