IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Facebook flaw gave 5,000 developers access to users' data

Information from users' profiles was accessible after the 90-day time limit had expired

Facebook website on a computer screen

Facebook has admitted that it accidentally shared user data with developers for longer than it should have.

Facebook apps are supposed to prevent access to personal data if users have not used the app for more than 90 days. However, the social network has said that a flaw in how inactivity was recorded allowed approximately 5,000 developers to collect data from users’ profiles after the 90-day time limit on their rights had expired. 

“Recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,” Facebook admitted in a statement.

“For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months. 

“From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information - for example, language or gender - beyond 90 days of inactivity as recognized by our systems.”

Facebook says it fixed the issue the day after discovering it, adding that it plans to investigate the slip-up and that it will continue to prioritize transparency with respect to any major updates. It has not stated how many users had their personal data scraped.

In 2018, the Cambridge Analytica privacy scandal exposed how third-party apps were harvesting Facebook users’ personal information. Cambridge Analytica’s app harvested the data of users who interacted with the app, as well as their friends who had not consented to the use of their data. 

Following the US Congress’ questioning of Mark Zuckerberg in 2018 on how Facebook dealt with users’ personal data, the company established the 90-day lock-out policy for apps that year. However, the lock-out did not work as intended.

A company rep stated: “We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.”

Facebook has also simplified its platform terms and developer policies to provide clearer guidance on data usage and sharing, as well as respecting users’ privacy when using its platform.

Facebook stated: “These new terms limit the information developers can share with third parties without explicit consent from people. They also strengthen data security requirements and clarify when developers must delete data.”

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Meta hit with €17 million fine over multiple GDPR breaches
data protection

Meta hit with €17 million fine over multiple GDPR breaches

16 Mar 2022
Meta says Apple's iOS privacy changes will cost it $10 billion in 2022
privacy

Meta says Apple's iOS privacy changes will cost it $10 billion in 2022

3 Feb 2022
Google, Facebook fined €210 million for making it difficult for users to reject cookies
Policy & legislation

Google, Facebook fined €210 million for making it difficult for users to reject cookies

6 Jan 2022
Meta makes 2FA mandatory for high-risk users
two-factor authentication (2FA)

Meta makes 2FA mandatory for high-risk users

3 Dec 2021

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
How full-stack observability can accelerate IT innovation
Sponsored

How full-stack observability can accelerate IT innovation

3 May 2022