Two Democratic senators are questioning if Google violated a consent agreement with the Federal Trade Commission (FTC) in failing to disclose a software vulnerability that exposed the data of nearly half a million Google Plus users.

Sens. Catherine Cortez Masto (Nev.) and Amy Klobuchar (Minn.) on Wednesday sent a letter to Google CEO Sundar Pichai expressing their concerns about the exposure and the company’s response to it.

“While Google has not uncovered evidence that developers took advantage of this vulnerability or that profile data was misused, it has failed [to] protect consumers’ data and kept consumers in the dark about serious security risks,” the senators wrote.

“At a time when Americans’ trust in large, online companies is at an all-time low, we are deeply dismayed that more care was not taken to inform consumers about threats to their personal information.”

The Wall Street Journal first reported the data exposure earlier this month, revealing that the flaw gave app developers access to data on nearly 500,000 users. The Journal also reported that Google didn’t disclose the vulnerability when it was first discovered in March, partly because it was concerned about drawing regulatory scrutiny at a time when Facebook was being hammered by lawmakers over its Cambridge Analytica scandal.

A spokesman for Google declined to comment on the letter, except to take issue with the senators referring to the incident as a “breach,” which commonly refers to incidents in which data was stolen. Google says it has found no evidence that any users’ information was taken.

Google has to abide by strict privacy requirements outlined in a 2011 settlement with the FTC. The company was fined $22.5 million in 2012 over privacy violations, and Cortez Masto and Klobuchar said the latest incident raises “serious questions about whether another violation may have taken place.”

“Time and time again we have seen that tech companies and social media platforms are unwilling or unable to self-regulate in a way that protects consumers,” they wrote. “As Congress considers enacting a federal privacy law, platforms like Google must do more to restore trust with consumers regarding the security of their data and how it is being used.”