Facebook says 5,000 app developers got user data after cutoff date

A Facebook privacy mechanism blocks apps from receiving user data if users didn't use an app for 90 days. Facebook said 5,000 apps continued to receive user data regardless.

Facebook website

Image: Kon Karampelas

Security

Remove yourself from the internet, hide your identity, and erase your online presence

Here is a step-by-step guide to reducing your digital footprint online, whether you want to lock down data or vanish entirely.

Read More

Social media giant Facebook disclosed on Wednesday a new user privacy incident. The company said that it continued sharing user data with approximately 5,000 developers even after their application's access expired.

The incident is related to a security control that Facebook added to its systems following the Cambridge Analytica scandal of early 2018.

Responding to criticism that it allowed app developers too much access to user information, Facebook added at the time a new mechanism to its API that prevented apps from accessing a user's data if the user did not use the app for more than 90 days.

However, Facebook said that it recently discovered that in some instances, this safety mechanism failed to activate and allowed some apps to continue accessing user information even past the 90-day cutoff date.

Konstantinos Papamiltiadis, VP of Platform Partnerships at Facebook, said engineers fixed the issue on the same day they found it.

The Facebook executive said the company also analyzed internal logs to determine the scope of the breach.

"From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving [user] information," Papamiltiadis said.

The company didn't clarify how many users were impacted, and had their data made available to app developers even after they stopped using the app.

Facebook said the good news was that its systems didn't leak more user data than what users initially allowed the app to access, which means that unless users changed profile details, the apps already had that data about users on file.

But besides disclosing a new privacy breach, Facebook also announced new terms and policies for its developer platform.

Papamiltiadis said the new terms limit the information developers can share with third parties without receiving explicit consent from Facebook users, and also ensure developers clearly understand that they have a responsibility to safeguard user data if they tap into Facebook's platform and userbase to build their own business.

In recent months, Facebook has filed several lawsuits against app developers that abused its platform, and the new developer terms and policies will be a new weapon in the company's legal arsenal against the developers who break its rules.