Facebook in a blog post on Tuesday disclosed yet another privacy breach that gave unauthorized access to users’ data to roughly 100 partners over the last 18 months.
In a recent security review, the social networking giant found that the apps- primarily social media management and video streaming apps – retained access to information like names and profile pictures of members in various Facebook groups, linked with their activity in those Groups, from the Groups API (application programming interface), despite announcing Groups API restrictions in April 2018.
Facebook found that at least 11 developers improperly accessed users’ information in the last 60 days through the Groups API.
Before modifications were made to the Groups API, Facebook allowed app developers to access information of a group’s members such as their profile pictures, names, and more, once the group admin authorizes the app.
However, this was changed following the Cambridge Analytica scandal, wherein the app would only get information, such as the group’s name, the number of users, and the content of posts if an admin authorized this access. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.
“As part of our ongoing review, we recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access. Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time,” Konstantinos Papamiltiadis, Facebook Director of Developer Platforms & Programs wrote in the blog post.
Facebook said that it is reaching out to 100 third-party developers who had access to the restricted data and have requested them to delete it. Further, it is also planning to conduct audits to confirm that the developers have deleted the requested data.
“We’ve removed or restricted a number of our developer APIs, such as the Groups API, which provides an interface between Facebook and apps that can integrate with a group,” Papamiltiadis said.
Further, Papamiltiadis said that the new framework under their agreement with the FTC means more accountability and transparency into it builds and maintains products.
“We aim to maintain a high standard of security on our platform and to treat our developers fairly. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform,” Papamiltiadis added.
Facebook did not disclose the names of the developers who accessed the data nor how many users’ data was accessed over the last 18 months. Currently, it is also unclear whether member data was exploited for advertising or any other malicious purposes.