A new internal database leak has revealed thousands of privacy incidents at Google over a span of six years, many of which had not been publicly known about before.
The Google leak, obtained and first reported on by tech outlet 404 Media, includes a range of privacy issues across a number of Google products that affected a broad user base including children, car owners, and even video-game giant Nintendo.
Leaked Google database reveals significant privacy breaches
The database consisted of privacy incidents reported internally by Google employees in order for the issue to be investigated and fixed. 404 Media received the internal Google database from an anonymous source. The outlet has verified the legitimacy of the leak and Google has confirmed it as well.
“At Google, employees can quickly flag potential product issues for review by the relevant teams," Google said in a statement provided to 404 Media. "When an employee submits the flag they suggest the priority level to the reviewer. The reports obtained by 404 are from over six years ago and are examples of these flags—every one was reviewed and resolved at that time. In some cases, these employee flags turned out not to be issues at all or were issues that employees found in third party services.”
Thousands of privacy incidents are detailed in the Google database. Here are some of the biggest ones.
Childrens' privacy affected
The incident potentially affecting the most users involved Socratic, a homework helper app that Google acquired in 2019. According to the leaked database, more than one million users' email addresses were publicly available on the page source of the Socratic.org website. Furthermore, the emails, along with other sensitive data like IP addresses, were available for any bad actor to scrape for over a year before the issue was addressed. The impacted users included children.
In fact, children were found to be affected in a number of these privacy incidents in the Google database. For example, childrens' voices were accidentally being logged in the YouTube Kids app at one point. In a separate incident, one thousand childrens' speech data was recorded and logged in a Google speech service. The database also lists an incident where a filter that was supposed to stop audio recordings feature children was "not correctly applied"
License plates transcribed
If someone had their car parked on public streets accessible by Google Maps' Street View, there's a chance that their license plate — and its location — could have been logged by the search giant.
According to the database, a Google employee reported in 2016 that Street View was transcribing license plates captured in photos to text. The report states that Google had a system in place to detect license plates and avoid transcribing them, but for "reasons as-yet known," the system failed." As a result, Street View "inadvertently contains a database of geolocated license plate numbers and license plate number fragments.”
Nintendo's YouTube announcements leaked
On the bright side, this privacy incident did not affect many Google users. However, it did affect one of the biggest video game companies in the world: Nintendo.
According to the database, private videos uploaded to Nintendo's YouTube account were accessed by a Google employee. The information in these videos were then leaked publicly before Nintendo officially made these announcements to the public. The report states that it was determined that the unauthorized access by the Google employee was "non-intentional."
Check out 404 Media's report for further details about even more privacy incidents revealed in the leaked Google database.
Mashable reached out to Google and Nintendo for comment. We will update this piece when we hear back.
Topics Cybersecurity Google Nintendo YouTube
