Google is pulling the plug on its flagship social network Google+ after data from up to 500,000 users was left exposed by a bug.

The tech giant said it would shut down the consumer version of the platform after it revealed users' data may have been exposed by a bug that was present for more than two years.

In a blog post, the company revealed it discovered the leak and patched it in March. It said it had no evidence that the data was misused or that any developer was aware of it or had exploited the leak.

A Google spokesperson said there were "significant challenges in creating and maintaining a successful Google+ that meets consumers' expectations".

They said the firm would now "sunset" the app, which failed to truly challenge market leader Facebook, citing "very low usage".


Google said it would "wind-down" the consumer version of the website over the next 10 months, with 90% of users accessing the site for less than five seconds.

However, it is planning to keep the platform alive for "enterprise users" in the workplace.

"Our review showed that Google+ is better suited as an enterprise product where co-workers can engage in internal discussions on a secure corporate social network," Google said.

"Enterprise customers can set common access rules, and use central controls, for their entire organisation. We've decided to focus on our enterprise efforts and will be launching new features purpose-built for businesses. We will share more information in the coming days."

Following the announcement, shares in Google's parent company Alphabet Inc were down 1.5% in response to the privacy issues.

According to The Wall Street Journal, Google had decided not to disclose the issue with its application programming interfaces (API) due to fears of increased regulatory scrutiny.

But the company said it reviewed the issue and looked at the type of data involved, if it could correctly identify the users affected to inform them, if there was any evidence of misuse, and if there was any action a user or developer could take.

"None of these thresholds were met in this instance," the firm said in its blog post. "We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any profile data was misused."

Companies have to inform a supervisory authority within 72 hours of a personal data breach under the EU's general data protection regulation (GDPR) - unless the breach is not likely to risk the rights and freedom of affected users.