A lot of the time I feel Google gets a bad rep on HN as the comments are so often filled with hyperbole. In this case however Google did a very poor job of disclosing this leak in their sunsetting Google+ announcement post. I would have much preferred an incident report explaining what really happened, even if they couldn't find any examples of abuse.
Conveniently for them, they only kept 2 weeks of logs (this is a 3 year old bug). I might implement that at my company. Take two weeks to patch and test the security hole, then review my two weeks of logs for any evidence of a breach. Then tell customers we haven't found any evidence of illicit access.
Not only that but does anyone actually believe they only kept two weeks of logs? I find it very suspect that the company known for amassing data only keeps some data for two weeks. How convienent for them.
