Google Data Breaches: Full Timeline Through 2023

In January 2023, some data pertaining to Google Fi customers was compromised in a breach of T-Mobile. Otherwise, the most recent Google data breach occurred in December 2018, when a bug exposed the data of 52.5 million Google+ users.

As of October 2023, there have been no reported data breaches involving Google or its parent company, Alphabet, since the above incidents. Below, we’ll go into detail on the full history of Google breaches, starting with the most recent.

January 2023: Google Fi Customer Data Stolen in T-Mobile Breach

In early January, a hacker stole customer data on over 37 million T-Mobile customers, including phone numbers, addresses, and more. Later in the month, Google notified Google Fi customers that some of their data was implicated in the breach.

In this case, Google itself was not hacked. Aside from the Google Fi customer data included in the T-Mobile breach, other Google services were in no way affected by this attack.

December 2018: Google+ Bug Exposes 52.5 Million Users’ Data

Google+ faced its second big breach of 2018 when a November update created an API bug that exposed data from 52.5 million Google+ accounts. Google fixed the bug within six days, and moved up Google+’s burial date from August to April 2019.

Google originally decided to terminate Google+ after another breach became public earlier in 2018 – read on.

July 2018: Wall Street Journal Exposes Gmail Snooping

In July 2018, the Wall Street Journal published a report revealing that third-party companies had been able to access users’ emails, including metadata as well as the email text itself. These companies included software companies such as Return Path, where human employees viewed thousands of email messages and used this data to train AI algorithms.

Google responded with their own blog post, in which they made clear third parties could only access messages with the user’s consent.

Although Google claims they do not read users’ emails, they do scan email texts and share data, including location and user ID, with advertisers. If you would like to keep your emails private, consider switching to Proton, a privacy-focused email provider that blocks trackers, encrypts your email, and refuses to spy on their users. Click here to check it out.

March 2018: Google+ Bug Exposes 500,000 Users’ Data

In March 2018, Google discovered a bug in Google+. From 2015 until March 2018, third-party developers were able to access Google+ users’ private data.

When Google discovered the issue, it promptly fixed it – but declined to tell affected users or inform the public. An internal memo noted that revealing the leak would put Google “into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal.”

News of the breach only came to light when the Wall Street Journal reported on it in October, 2018. After the story broke, Google announced that it would shut down Google+ in August 2019. But when another breach hit Google+ in December 2018, Google moved its sunset up to April 2019.

November 2016: Gooligan Malware Compromises 1 Million Android Devices

In November 2016, cybersecurity company Checkpoint discovered a malware called Gooligan that at the time was infecting 13,000 devices every day. This app appears to have penetrated devices through a combination of phishing and third-party app store downloads.

No device is perfectly immune to malware. For the sake of security, I would strongly advise steering clear of third-party app stores and learning how to identify and avoid phishing attacks.

September 2015: BrainTest Malware Infects Up to 1 Million Android Devices

In September 2015, Checkpoint researchers discovered that an app called BrainTest was infecting Android devices with a pernicious, hard-to-remove malware. In this case, the app was listed on the Google Play Store. Through obfuscation techniques, these app developers were able to deceive Google Bouncer and land on Google’s app storefront. Upon discovery, Google removed the app in question.

September 2014: Nearly 5 Million Gmail Passwords Leaked Online

While it wasn’t immediately clear how the information was obtained, in September 2014, almost 5 million Gmail addresses and passwords were published online. While Google claimed that their systems weren’t compromised, and the company took relatively swift action, requiring password resets for impacted accounts, it was a major event overall.

It is possible that the leaked information was actually a collection of email credentials from different incidents not directly involving Google. Some of the compromised data seemed to be incredibly outdated, while other credentials appeared current. In any case, it’s never a bad idea to set up two-factor authentication to make your accounts that much harder to crack.

June – December 2009: Chinese Hackers Breach Google Servers

In 2009, a group of hackers working for the Chinese government penetrated the servers of Google and other prominent American companies, such as Yahoo and Dow Chemical. The breach seems to have originated through a series of spear phishing attacks.

In a January 2010 blog post, Google indicated that the goal of the attack seems to have been to dig up information on Chinese human rights activists. The Washington Post found that the Chinese hackers were also pulling information on U.S. law enforcement surveillance of Chinese intelligence operatives in the United States.

We did not find any earlier records of data breaches involving Google.

Google Privacy Violations Over the Years

Alongside the data breaches listed above, Google has frequently been accused of violating users’ privacy. Below are some of the notable accusations and fines leveled against Google.

July 2020: Google Accused of Misleading Millions of Users About Privacy

While not technically a breach, Google was accused by an Australian watchdog of misleading millions of Australian users about the use and collection of their private data. The watchdog alleges that starting in 2016, Google began combining Google account user information with activity from non-Google sites that relied on Google technologies for the purpose of displaying ads.

Since the information was combined without direct consent from users, the watchdog labeled the move a privacy violation. However, Google disagreed, stating that they did acquire explicit consent.

April 2020: Google Faces $5 Billion Lawsuit for Tracking “Private” Browsing

In a lawsuit, Google was accused of collecting internet browsing activity on users who were making use of “private” browsing modes, also called “incognito” browsing.

While Google states that it informs users that some data may be collected when using these alternative browsing options, the lawsuit alleges that Google didn’t appropriately inform users about the tracking tools that could still harvest their activity data. Additionally, the lawsuit also brings up issues of stored data involving incognito mode activities.

The proposed class for the lawsuit could including millions of users, essentially covering anyone who used the incognito mode since June 1, 2016.

September 2019: Google Received $170 Million Fine for Child Data Privacy Breaches

After accusations that Google failed to follow certain child privacy laws regarding the collection of data on children, the tech giant agreed to pay a $170 million fine. The massive child privacy case focused on failing to obtain consent from parents before collecting data on children under 13 years of age.

The main issue involved data collected by viewers using YouTube Kids, a section of YouTube dedicated to child-friendly programming. There were also accusations that the collected data was shared with third parties.

August 2018: Google Tracking Location Data on 2 Billion Users, Sometimes Without Permission

While Google stated that pausing a user’s “location history” would prevent the creation of location-oriented records, that wasn’t exactly true. Even when users adjusted their privacy preferences to turn off location tracking, that data was still being stored in the “web and app activity” section.

Turning off the location history only stopped Google from storing specific kinds movement data on the user’s timeline. However, it didn’t prevent location data collection when users took advantage of weather apps, conducted online searches (including those that weren’t location-specific or location-dependent), and a variety of other tasks. For that, users had to turn off “web and app activity” tracking, even though that privacy section said nothing about location data.

While not a breach, many considered it a significant privacy violation. In the end, up to 2 billion users may have been impacted.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.