Google said on Monday that it would shut down Google Plus, the company’s long-struggling answer to Facebook’s giant social network, after it discovered a security vulnerability that exposed the private data of up to 500,000 users.

Google did not tell its users about the security issue when it was found in March because it didn’t appear that anyone had gained access to user information, and the company’s “Privacy & Data Protection Office” decided it was not legally required to report it, the search giant said in a blog post.

The decision to stay quiet, which raised eyebrows in the cybersecurity community, comes against the backdrop of relatively new rules in California and Europe that govern when a company must disclose a security episode.

Up to 438 applications made by other companies may have had access to the vulnerability through coding links called application programming interfaces. Those outside developers could have seen user names, email addresses, occupation, gender and age. They did not have access to phone numbers, messages, Google Plus posts or data from other Google accounts, the company said.