Researchers at the University of Cambridge uploaded user data from 3 million Facebook users onto a shared portal. They locked the data with a username and password. But other researchers later posted the login credentials online.
That exposed the data to anyone who did a quick web search to find the username and password. The exposure was first revealed by a report on Monday from New Scientist.
The incident has echoes ofand researchers affiliated with the University of Cambridge. Political consultancy Cambridge Analytica improperly obtained the data of 87 million Facebook users when researcher Aleksandr Kogan shared information he collected through a personality quiz.
In the new data exposure incident, a different set of researchers collected user information with consent through a personality app, called myPersonality, and then made it available to other researchers through a web portal. According to the New Scientist report, researchers with access to the data set posted the username and password online on the data sharing website GitHub about four years ago. While the data was anonymized, privacy experts told the publication that it would be easy to associate data in the collection with the person who originally posted it on Facebook.
The researchers who created the app are based at the Psychometrics Centre at the University of Cambridge. David Stillwell, one of the researchers, said in an email to CNET that a professor from the University of Michigan posted the login credentials online.
The New Scientist article said Kogan was listed as a collaborator on the myPersonality app until 2014. In the email, Stillwell says that Kogan was never affiliated with the organization.
In an online statement, the Psychometrics Centre explained in detail the differences between the myPersonality app and the now-infamous app created by Kogan, called thisisyourdigitallife. That app was able to collect information on a Facebook user's profile, as well as information from all of his or her Facebook friends' profiles.
But the myPersonality app didn't do that kind of collection, according to the statement from the Psychometrics Centre. "No app developed by the Psychometrics Centre has ever obtained Facebook profile information from its users' friends," the project said in its statement.
The myPersonality app has been suspended since April 7. Facebook is aware that the login credential was published on GitHub; the issue was flagged in the company's.
"We suspended the myPersonality app almost a month ago because we believe that it may have violated Facebook's policies," said Ime Archibong, Facebook's vice president of product partnerships, in an emailed statement. "We are currently investigating the app, and if myPersonality refuses to cooperate or fails our audit, we will ban it."
The social network has suspended about 200 apps as part of its efforts to track down more apps that may have misused user information, Archibong said in a blog post Monday. The company will further investigate the apps, and Facebook plans to notify users of how exactly their data was affected if it finds evidence of abuse.
The University of Cambridge and Kogan didn't respond to requests for comment.
"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said in his blog post. "We are investing heavily to make sure this investigation is as thorough and timely as possible. We will keep you updated on our progress."
First published May 14, 2:11 p.m. PT
Updates, 5:16 p.m.: Adds comment from Facebook, background information and a link to the company's blog post; May 15 at 10:40 a.m.: Includes statement from the Psychometrics Centre and one of its researchers; 12:29 p.m. and 1:18 p.m.: Adds statements from the University of Michigan.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.