The company discovered a bug in one of Google+'s People APIs that allowed apps access to data from Google+ profiles that weren't marked as public. It included static data fields such as name, email, occupation, gender and age. It did not include information from Google+ posts. The bug was patched in March 2018, but Google didn't inform users at that point. "We made Google+ with privacy in mind and therefore keep this API's log data for only two weeks," the company said in a blog post. "That means we cannot confirm which users were impacted by this bug."
However, Google+ will continue as a product for Enterprise users. It's by far the most popular use of the social network. Therefore, the company has made the decision that Google+ is better suited as an internal social network for companies, rather than a consumer product. Google will announce new Enterprise-focused products for Google+ in the near future.
The decision is a part of Project Strobe, which is Google's internal investigation into third-party developer account access to Google and Android products. It takes a close look at security controls, as well as low user engagement that are likely due to privacy concerns. The goal is to identify areas where privacy controls should be tightened.
Update, October 15, 2:00 PM ET: This article was updated to reflect that, while personal data was exposed, there is no evidence anyone improperly accessed it.