According to the announcement the investigation of the bug is still ongoing but there are at least a couple of things that Google can already tell us.
One of them is that apparently apps that requested access to user information got it all – even if the user had actually opted to keep it private. This included data like names, email address, occupation, and age (full list here). The good thing: The bug apparently didn’t give access to data like financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
The information was available for a whole 6 days before Google fixed it. Nonetheless it seems like there is no evidence that any developer was aware of the issue – which is kind of a prerequisite for it to be abused.
The issue had some other consequences though: Google decided to retire all Google+ APIs in the next 90 days. The internet giant also announced that it will accelerate the closure of Google+ itself and move the date from August 2019 to April 2019.