Facebook shared user data with developers after access should have expired

The social network says it fixed the problem.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Queenie Wong
2 min read

Facebook has faced several privacy scandals.

Graphic by Pixabay/Illustration by CNET

Facebook said Wednesday that it shared user data with thousands of developers even after access should have expired. The social network said it fixed the issue, but the mistake allowed an estimated 5,000 developers to continue receiving user data for a longer time than expected. 

In 2018, Facebook said that developers would no longer have access to user data if the person hadn't use the developer's app for 90 days. People can use their Facebook account to log into various apps, which provides developers information such as a user's birthday, email, friends list and hometown. The social network limited developer access to user data in the wake of the Cambridge Analytica scandal that year. UK political consultancy Cambridge Analytica harvested data from up to 87 million users without their permission, sparking concerns that Facebook wasn't doing enough to safeguard user privacy.

Facebook said that the company recently discovered that apps continued to receive data from the social network even if a user wasn't active on the developer's app for 90 days. The social network said that developers received information such as a user's gender and language after the expiration date.

"For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn't recognize that some of their friends had been inactive for many months," Facebook said in a blog post.

The company, which has more than 2.6 billion monthly active users, doesn't say in the post how many users are impacted or if they will be notified individually. Facebook said it will continue to investigate the issue but that the company hasn't found evidence that the data was misused by developers. A Facebook spokesman said the company doesn't have any more information to share at this time.

Users can see which apps have access to their Facebook data by going to the social network's settings and clicking on "Apps and websites." If you haven't been active on a developer's app for more than 90 days, the developer "may still have access to info you previously shared, but their ability to make additional requests for private info has expired," according to Facebook.

Facebook got slapped with a record $5 billion fine from the Federal Trade Commission following the Cambridge Analytica scandal.