The company revealed that the usage and engagement of Google+ is even lower than some might have guessed, as 90 percent of user sessions lasted less than 5 seconds.
Two states within the United States are joining two European Union member states in investigating the breach at Google's parent company Alphabet Inc.
Google said it was unable to confirm which accounts were affected by the bug, but an analysis indicated it could have been as many as 500,000 Google+ accounts.
The Wall Street Journal reported that Google executives opted against notifying users earlier because of concerns it would catch the attention of regulators and draw comparisons to a data privacy scandal at Facebook. Up to 496,951 users could have been affected, and up to 438 apps could have accessed the data.
Google said in the blog post that it "discovered and immediately patched" a bug in March 2018 that potentially allowed app developers to access profile data from users that had not been marked as public.
Google can not confirm which users were specifically impacted by this bug.
According to Smith, "This data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age". This bug could allow a user's installed apps to utilize the API and access non-public information belonging to that user's friends. The company has found no evidence that Profile data was misused.
A vulnerability in the Google+ social network exposed the personal data of "hundreds of thousands" of people using the site between 2015 and March 2018, according to a report Monday by the Wall Street Journal.
Our Privacy & Data Protection Office reviewed this issue, looking at the type of data involved, whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response.
"To give people a full opportunity to transition, we will implement this wind-down over a 10-month period, slated for completion by the end of next August", said Ben Smith, Google's Vice President of Engineering. "Over the coming months, we will provide consumers with additional information, including ways they can download and migrate their data", he wrote.
On Android, Google will limit apps ability to receive users call logs and short messaging service (SMS) data.