If you store your videos and photos in the cloud, or at least in Google’s version of the cloud, you may want to think twice about that. A recent privacy breach may have sent your videos to the wrong person.
According to The Verge, the breach involved Google Takeout, a service that helps you download your data from the myriad services the company offers. It seems that it hit a snag where it was accidentally including videos that were not part of a user’s account in their Takeout download.
While the window was short and the bug has already been fixed, it was wide open for four days, between November 21st and November 25th, 2019. Affected users received an email that included the line “Unfortunately, during this time, some videos in Google Photos were incorrectly exported to unrelated users’ archives. One or more videos in your Google Photos account was affected by this issue. If you downloaded your data, it may be incomplete, and it may contain videos that are not yours.”
Cue every Google Photos user feverishly wracking their brains to think about when they last sent that sexy video to their significant other. Photos weren’t affected, and so no private photos seems to have been exposed. One of the users who received the email is the founder of a company that helps defend organizations against data breaches. Jon Oberheide posted the whole message on Twitter:
There wasn’t much fanfare from Google about this data breach, but it can’t be understated how serious it is. With more Pixel phones out there than ever before, there’s a whole army of people automatically sending their selfies, sexts, and family photos to the cloud with every click. Add on top of that regular users who upload their photos taken with other cameras or phones, and the .01 percent of users that Google claims were affected by this breach is still a sizable number given the company’s user base.
Google’s recommended fix for this really isn’t a fix. It says that users should delete their previous backups and download a new copy of their data. No word on what people should do if they already deleted their accounts when they thought they had all their data. Nor could the company, in a response to Oberheide, specify what videos had been downloaded.