A vulnerability in the Google+ social network exposed the personal data of up to 500,000 people using the site between 2015 and March 2018, the search giant said Monday.

Google said it found no evidence of data misuse. Still, as part of the response to the incident, Google plans to shut down the social network permanently.

The company didn’t disclose the vulnerability when it fixed it in March because the company didn’t want to invite regulatory scrutiny from lawmakers, according to a report Monday by The Wall Street Journal. Google CEO Sundar Pichai was briefed on the decision to not disclose the finding, after an internal committee had already decided the plan, the Journal said.

Google said it found the bug as part of an internal review called Project Strobe, an audit started earlier this year that examines access to user data from Google accounts by third-party software developers. The bug gave apps access to information on a person’s Google+ profile that can be marked as private. That includes details like email addresses, gender, age, images, relationship statuses, places lived and occupations. Up to 438 applications on Google Plus had access to this API, though Google said it has no evidence any developers were aware of the vulnerability.

Source: Google shutting down Google+ after exposing data of up to 500,000 users – CNET

The real story here is that they didn’t disclose.