The bug in Google's developer platform on its Google Plus social network left information like a user's name, email address, occupation, gender and age vulnerable to a breach. The company said it found no evidence the data had been improperly accessed or misused.
It's something of a rare misstep for Google, which has largely avoided the privacy scandals that have plagued other social media companies in recent months. Facebook disclosed a devastating breach just last month — piling onto questions raised in March when the company's Cambridge Analytica leak was revealed. Twitter disclosed a bug in its developer platform last month as well.
Shares of Google parent Alphabet fell more than 2 percent immediately after the report before paring some losses. The stock was last seen roughly 1 percent down.
The Wall Street Journal first reported the bug and said the company's top executives covered up the security incident out of fear of government regulation. The company told the Journal it did not disclose the incident because it could not accurately identify the affected users, could not find evidence of misuse and could not identify actions to be taken by developers or users in response.