Data on 3 million users exposed in another Facebook app gaffe

The data was collected for a project at the University of Cambridge.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
4 min read
Facebook CEO Mark Zuckerberg onstage in May at the F8 developer conference. Zuckerberg stands facing the crowd, and behind him a large screen displays the words, "Data Privacy.'

Facebook CEO Mark Zuckerberg onstage in May at the F8 developer conference. A report Monday alleges that data on 3 million Facebook users sat exposed on a web portal created by researchers at the University of Cambridge.

James Martin

Researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But other researchers later posted the login credentials online.

That exposed the data to anyone who did a quick web search to find the username and password. The exposure was first revealed by a report on Monday from New Scientist.

The incident has echoes of the larger scandal plaguing both Facebook and researchers affiliated with the University of Cambridge. Political consultancy Cambridge Analytica improperly obtained the data of 87 million Facebook users when researcher Aleksandr Kogan shared information he collected through a personality quiz. 

In the new data exposure incident, a different set of researchers collected user information with consent through a personality app, called myPersonality, and then made it available to other researchers through a web portal. According to the New Scientist report, researchers with access to the data set posted the username and password online on the data sharing website GitHub about four years ago. While the data was anonymized, privacy experts told the publication that it would be easy to associate data in the collection with the person who originally posted it on Facebook.

The researchers who created the app are based at the Psychometrics Centre at the University of Cambridge. David Stillwell, one of the researchers, said in an email to CNET that a professor from the University of Michigan posted the login credentials online. 

"In connection with a faculty member's class, a group of three students were provided access to the database for purposes of collaborating on a research-focused class project," Kim Broekhuizen, a spokeswoman for the University of Michigan, said in an email. "The Terms of Use, which state that the data had been anonymized, specifically allowed the faculty member to share data with students in the faculty member's research group." Broekhuizen said the university isn't aware of the circumstances under which the login credentials were shared online.

The New Scientist article said Kogan was listed as a collaborator on the myPersonality app until 2014. In the email, Stillwell says that Kogan was never affiliated with the organization. 

In an online statement, the Psychometrics Centre explained in detail the differences between the myPersonality app and the now-infamous app created by Kogan, called thisisyourdigitallife. That app was able to collect information on a Facebook user's profile, as well as information from all of his or her Facebook friends' profiles.

But the myPersonality app didn't do that kind of collection, according to the statement from the Psychometrics Centre. "No app developed by the Psychometrics Centre has ever obtained Facebook profile information from its users' friends," the project said in its statement. 

The myPersonality app has been suspended since April 7. Facebook is aware that the login credential was published on GitHub; the issue was flagged in the company's program for fielding information about potential misuse or abuse of Facebook user data

"We suspended the myPersonality app almost a month ago because we believe that it may have violated Facebook's policies," said Ime Archibong, Facebook's vice president of product partnerships, in an emailed statement. "We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it."

The social network has suspended about 200 apps as part of its efforts to track down more apps that may have misused user information, Archibong said in a blog post Monday. The company will further investigate the apps, and Facebook plans to notify users of how exactly their data was affected if it finds evidence of abuse. 

The University of Cambridge and Kogan didn't respond to requests for comment.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said in his blog post. "We are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you updated on our progress."

First published May 14, 2:11 p.m. PT
Updates, 5:16 p.m.: Adds comment from Facebook, background information and a link to the company's blog post; May 15 at 10:40 a.m.: Includes statement from the Psychometrics Centre and one of its researchers; 12:29 p.m. and 1:18 p.m.: Adds statements from the University of Michigan.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.