[wglb]

I agree that it is not up for debate. They did not lose any information. The google announcement here https://www.blog.google/technology/safety-security/project-s... says that they looked for leakages and We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.

The difference is between data being exposed and data being leaked. The difference is quite critical.

[jlarocco]

First, I don't think the difference between exposed and leaked matters with respect to whether they need to notify users about it.

In any case, I don't believe their answer. Once the API response leaves the server with extra information there's no way for them to know which fields the caller looked at because it's all done client side.

[mtgx]

They only "know" the data didn't leak in the 2 weeks prior to them finding out about it.