Google opted not to disclose the issue partly due to fears of regulatory scrutiny, the Wall Street Journal reported earlier, citing unnamed sources and internal documents.
A software glitch in the social site gave outside developers potential access to private Google+ profile data between 2015 and March 2018, when internal investigators discovered and fixed the issue, the report said.
Shares of Alphabet Inc were down 2.6 percent at $1138.53.
The affected data is limited to static, optional Google+ Profile fields including name, email address, occupation, gender and age, Google said.
"We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused," Google said.
A memo, prepared by Google's legal and policy staff and shared with senior executives, warned that disclosing the incident would likely trigger "immediate regulatory interest" and invite comparisons to Facebook's leak of user information to data firm Cambridge Analytica, the WSJ report said.
Allegations of the improper use of data for 87 million Facebook users by Cambridge Analytica, which was hired by President Donald Trump's 2016 U.S. election campaign, has hurt the shares of the world's biggest social network and prompted multiple official investigations in the United States and Europe.
Google Chief Executive Officer Sundar Pichai was briefed on the plan not to notify users after an internal committee had reached that decision, according to the WSJ.
In weighing whether to disclose the incident, the company considered "whether we could accurately identify the users to inform, whether there was any evidence of misuse, and whether there were any actions a developer or user could take in response," a Google spokesman told WSJ. "None of these thresholds were met here."