Facebook has said it mistakenly allowed 5,000 app developers to access information about its users after a time limit system failed to expire properly.
The system, introduced in 2018 to block a loophole used in the Cambridge Analytica scandal, was designed to shut off data access to third-party developers if a Facebook user hadn’t opened an app in the last 90 days.
The company said yesterday they had discovered the fix had not always worked the way it was meant to, leaving some user data exposed for longer than it should have been.
“This could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognise that some of their friends had been inactive for many months,” said Konstantinos Papamiltiadis, Facebook’s vice president of platform partnerships.
The leak left information such as language or gender exposed to an estimated 5,000 developers. However that estimate is only based on the “last several months of data we have available,” Papamiltiadis said.
“We fixed the issue the day after we found it,” he added, saying there was no evidence any information had been exposed that users had not granted permission for when they logged in using Facebook.
Facebook did not say how many users were affected by the flaw.
It follows the platform’s largest privacy scandal in 2018, in which third-party developers were able to harvest troves of user data.
Research firm Cambridge Analytica allegedly used this access to build a comprehensive database of personal information about Facebook users and their friends, regardless of whether users had given permission for that information to be visible.
Facebook shares edged down slightly in pre-market trading.