6 Years of “Routine” Privacy Breaches Revealed as Google Database Leak Emerges

by | Jun 10, 2024

A Google insider has handed a database leak to muckraking publication 404 Media, and it documents six years of privacy breaches that were largely unknown to the general public.

The information isn’t particularly scandalous, however, as the whole file consists of potential security and privacy breaches that were flagged internally and then ultimately dealt with by Google staff (usually with the deletion of accidentally exposed personal information). But the news does not help Alphabet at all, as it deals with PR incidents on multiple fronts.

A peek into Google’s internal handling of privacy breaches

The database leak is more of an interesting inside view of Google’s handling of privacy breaches rather than something that dredges up hidden scandals. The company has acknowledged that the leak is legitimate, but notes that all of the included incidents were addressed and resolved at some point.

The news is less damaging to Google than some of its other recent PR issues, such as last week’s leak of its search engine ranking process and the failures of Google Gemini and other AI tools. But there are elements of the database leak that raise concerns. The privacy breaches it documents were largely not of the sort required to be disclosed to the public, at least during the 2013-2018 period the leak covers, and so most of this is new information.

Database leak documents issues throughout Google’s operations

One of the major points of concern is a set of privacy breaches that directly impacted children. One of these came via a buggy filter for speech software, which ended up mistakenly recording and storing about 1,000 hours of audio involving the voices of minors. Another issue involved the app Socratic, which stored user email addresses in the source code of its home page for at least a year. Socratic is advertised to minors as an AI-driven homework assistance tool. In both cases the exposed data was eventually detected and deleted, but these examples show that it can take substantial time for the company to detect and address such issues internally.

At least one of Google’s government agency clients also had an internal accident put sensitive data at risk, when it was moved from its usual higher-level storage to a consumer product unintentionally. YouTube had multiple incidents that sometimes involved major corporate clients, such as an accidental exposure of a private video Nintendo was keeping in reserve for a product launch. At least one of the security and privacy breaches at the video sharing site also involved a third party contractor who was given administrator access, who abused the power to change affiliate codes in links posted to various channels.

The database leak does show that Google eventually tracks down and deals with these privacy breaches in the end, but the scope and length of time of some of the incidents give one pause. However, it is also fair to note that nothing documented here is newer than about six years old, and some date back literally over a decade at this point.

Recent Posts

How can we help?

7 + 15 =

× How can I help you?