73 Ocean Street, New South Wales 2000, SYDNEY

Contact Person: Callum S Ansell
E: callum.aus@capital.com
P: (02) 8252 5319


22 Guild Street, NW8 2UP,

Contact Person: Matilda O Dunn
E: matilda.uk@capital.com
P: 070 8652 7276


Genslerstraße 9, Berlin Schöneberg 10829, BERLIN

Contact Person: Thorsten S Kohl
E: thorsten.bl@capital.com
P: 030 62 91 92

Facebook says 100 app developers may have improperly accessed user data


Facebook in a blog post on Tuesday disclosed yet another privacy breach that gave unauthorized access to users’ data to roughly 100 partners over the last 18 months.

In a recent security review, the social networking giant found that the apps- primarily social media management and video streaming apps – retained access to information like names and profile pictures of members in various Facebook groups, linked with their activity in those Groups, from the Groups API (application programming interface), despite announcing Groups API restrictions in April 2018.

Facebook found that at least 11 developers improperly accessed users’ information in the last 60 days through the Groups API.

Before modifications were made to the Groups API, Facebook allowed app developers to access information of a group’s members such as their profile pictures, names, and more, once the group admin authorizes the app.

However, this was changed following the Cambridge Analytica scandal, wherein the app would only get information, such as the group’s name, the number of users, and the content of posts if an admin authorized this access. For an app to access additional information such as name and profile picture in connection with group activity, group members had to opt-in.

“As part of our ongoing review, we recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access. Today we are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API, although it’s likely that the number that actually did is smaller and decreased over time,” Konstantinos Papamiltiadis, Facebook Director of Developer Platforms & Programs wrote in the blog post.

Facebook said that it is reaching out to 100 third-party developers who had access to the restricted data and have requested them to delete it. Further, it is also planning to conduct audits to confirm that the developers have deleted the requested data.

“We’ve removed or restricted a number of our developer APIs, such as the Groups API, which provides an interface between Facebook and apps that can integrate with a group,” Papamiltiadis said.

Further, Papamiltiadis said that the new framework under their agreement with the FTC means more accountability and transparency into it builds and maintains products.

“We aim to maintain a high standard of security on our platform and to treat our developers fairly. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform,” Papamiltiadis added.

Facebook did not disclose the names of the developers who accessed the data nor how many users’ data was accessed over the last 18 months. Currently, it is also unclear whether member data was exploited for advertising or any other malicious purposes.

Post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: