The bug in Google's developer platform on its Google Plus social network left information like a user's name, email address, occupation, gender and age vulnerable to a breach. The company said it found no evidence the data had been improperly accessed or misused.
It's something of a rare misstep for Google, which has largely avoided the privacy scandals that have plagued other social media companies in recent months. Facebook disclosed a devastating breach just last month — piling onto questions raised in March when the company's Cambridge Analytica leak was revealed. Twitter disclosed a bug in its developer platform last month as well.
Shares of Google parent Alphabet fell more than 2 percent immediately after the report before paring some losses. The stock was last seen roughly 1 percent down.
The Wall Street Journal first reported the bug and said the company's top executives covered up the security incident out of fear of government regulation. The company told the Journal it did not disclose the incident because it could not accurately identify the affected users, could not find evidence of misuse and could not identify actions to be taken by developers or users in response.
"Whenever user data may have been affected, we go beyond our legal requirements and apply several criteria focused on our users in determining whether to provide notice," Ben Smith, Google's vice president of engineering, said in a blog post revealing the bug.
Google is shutting down its Google Plus social service for consumers, the company said. The service has long seen low usage, the company said, with 90 percent of Google Plus user sessions lasting fewer than 5 seconds.
Google Plus will wind down over the next 10 months, the company said. Users will be able to download and migrate their data to another service. The enterprise version of Google Plus will remain active.