The company decided not to disclose the breach "because of fears that doing so would draw regulatory scrutiny and cause reputational damage", the WSJ reports.
Specifically, the issue disclosed Monday came through one of the Google+ "People" APIs, a developer tool available to third-party app developers.
CEO Sundar Pichai was reportedly informed of the decision to not tell users after it had already been made by an internal committee.
USA lawmakers are concerned that the big tech companies have come under scrutiny for a variety of reasons in recent years. But the post also said that, to ensure privacy, the company destroys most Google+ logs after two weeks.
Apparently trying to play down the significance of the matter, Google says that Google+ has not proved particularly popular or successful: "it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps". Before the bug was fixed, the API could have been exploited by applications connected to Google+ accounts to access the private parts of those profiles.
Google also said the consumer version of Google+ had low usage and engagement and 90% of user sessions are less than five seconds long, essentially trashing its own product to cover up.
Several policies Google introduced on Monday are created to curb the data accessible to developers offering mobile apps on the Google Play store or add-on apps for sending and organizing Gmail messages. Well, these plans even include permanently shutting down all consumer functionality of Google+.
Ben Smith, Google's vice president of engineering, confirmed in a blog post the company had detected a "bug" in March that impacted the profiles of as many as 500,000 Google Plus users.
As a bit of a bright side, however, there was no evidence that any developer was even aware this bug existed, despite 438 applications using the API.
So the company felt that the site simply wasn't worth maintaining between its minimal traffic and its security threats, hence the ten-month period for users to migrate whatever data they need before it's taken offline in August 2019.
"None of these thresholds were met here.", she said.
Along with this, Google will also force app developers to provide more detailed explanations of what it intends to do with your Google Account if it's requesting access to it.
Google's new policy and Gmail API access rules won't safeguard Gmail users from having their inboxes pilfered for data, but it will make it harder for an app to gain access to such data in the first place.