Facebook has again admitted to improperly sharing user data with third-party companies.
The social media giant vowed to crack down on how much information was sent to independent app developers back in 2018 but has repeatedly failed to do so.
In a blog post, Konstantinos Papamiltiadis, vice-president of Platform Partnerships at Facebook, revealed a few sparse details about the latest issue.
He said around 5,000 apps had recently received data they should not have, including email addresses, birthdays, language and gender of users.
Facebook says the issue was fixed after it was discovered, but did not state when it was found, how it went undetected for two years, or how many users are impacted.
MailOnline has approached Facebook for comment.
In 2018, the social media giant announced it would be putting in restrictions on its previously uninhibited flow of user data to app developers.
This included shutting off the data stream to an app developer if a user did not log in to their product within 90 days.
It appears this latest instalment in the ongoing saga of Facebook’s privacy debacles stems from a bug which did not shut off the data when the 90-day threshold was reached.
Details of how this happened, why it was not detected earlier, and what led to its discovery now, remain unknown as Facebook will not disclose details.
Facebook would not reveal how many users were affected by this breach when asked by MailOnline.
‘Recently, we discovered that in some instances apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days,’ Mr Papamiltiadis said in the post.
‘For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months.
‘From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information — for example, language or gender — beyond 90 days of inactivity as recognized by our systems.
‘We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook.
‘We fixed the issue the day after we found it. We’ll keep investigating and will continue to prioritize transparency around any major updates.’
This specific issue appears to now be resolved, but the company has a track record of sub-optimal privacy protection.
And despite the latest pledge from Mr Papamiltiadis that it is continuing to investigate, the lack of details and spotted history is far from reassuring.
Late last year, the same Facebook chief issued a statement on a similar situation.
That issue was to do with groups and gave apps access to information on members, including profile pictures and names.
‘We know at least 11 partners accessed group members’ information in the last 60 days,’ he said at the time.
And in 2018, a similar situation arose. In this instance, Mr Papamiltiadis said: ‘We’ve taken a number of steps this year to limit developers’ access to people’s Facebook information, and as part of that ongoing effort, we’re in the midst of reviewing all our APIs and the partners who can access them.’