
Accord to a blog post from Ben Smith, Googles vice president of engineering, the bug would allow third party apps to not only gain access to the data that users where willing to share. Instead they were also able to access information marked as nonpublic. This included email addresses, occupation, gender, and age.
Google apparently discovered the issue while performing a code review of the Google+ APIs. That was back in May. While the company fixed the bug silently, they chose not to disclose it. According to the Wall Street Journal the reasoning behind that decision was fear of regulatory scrutiny: after all the leak is pretty much comparable to Facebook’s Cambridge Analytica scandal.
While Google claims that around 500 000 accounts were affected it is hard to say if the number might not be higher and if the vulnerability has actually been exploited or not: the company only keeps two weeks of API logs for its Google+ service.
All in all the bug was probably the final nail in Google+’s coffin. While not the only reason that the service is closing down, it definitely contributed. According to Google it is just too time-consuming and not really worth it to maintain the product for the few people who actually use it.