This is not what the article says, "Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said. The bug existed since 2015, and it is unclear whether a larger number of users may have been affected over that time. "
'We don't know who was affected and what data may have been collected' is way different than what you're saying. It also opens up lots of questions, such as why a company with the resources of Google would not persist security critical logs indefinitely.
'We don't know who was affected and what data may have been collected' is way different than what you're saying. It also opens up lots of questions, such as why a company with the resources of Google would not persist security critical logs indefinitely.