Facebook said Wednesday that it shared user data with thousands of developers even after access should have expired. The social network said it fixed the issue, but the mistake allowed an estimated 5,000 developers to continue receiving user data for a longer time than expected.
In 2018, Facebook said that developers would no longer have access to certain user data if the person hadn’t use the developer’s app in the last 90 days. People can use their Facebook account to log into various apps, which provides developers information such as their birthday, email, friends list and hometown. The social network made the change in the wake of the Cambridge Analytica scandal that year. UK political consultancy Cambridge Analytical harvested data from up to 87 million users without their permission, sparking concerns that Facebook wasn’t doing enough to safeguard user data.
Facebook said that the company recently discovered that apps continued to receive data from the social network even if a user wasn’t active on the developer’s app for 90 days. The social network said that developers received information such as a user’s gender and language after the expiration date.
“For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months,” Facebook said in a blog post.
The company, which has more than 2.6 billion monthly active users, doesn’t say in the post how many users are impacted or if they will be notified their data was accessed for a longer period of time than expected. Facebook said it will continue to investigate the issue but that the company hasn’t found evidence that the data was misused by developers. A Facebook spokesman said the company doesn’t have any more information to share at this time.
Users can see which apps have access to their Facebook data by going to their settings and clicking on “Apps and websites.” If you haven’t been active on a developer’s app for more than 90 days, the developer “may still have access to info you previously shared, but their ability to make additional requests for private info has expired,” according to Facebook.
Facebook got slapped with a record $5 billion fine from the Federal Trade Commission following the Cambridge Analytica scandal.