Facebook has admitted that it wrongly shared the personal data of ‘inactive’ users for longer than it was authorized, as revealed in a company blog post.
The social media giant estimates that the bug caused around 5,000 third-party app developers to continue to receive information about users who had previously used Facebook to log in to their apps, even if users had not used the app in the past few years. 90 days.
Exceeding that deadline runs counter to Facebook’s policy, which promises that third-party applications would no longer be able to receive personal information about a user if they had not accessed the application in the past 90 days.
While the company did not confirm how many people were affected, it did say that personal information shared with third-party apps could include email addresses, birthdays, gender, or spoken language.
How did this happen?
According to a Facebook spokesperson, if an active user was a friend of Facebook with an inactive user through a third-party application, the application could continue to receive data that the inactive user had previously authorized.
“For example, this could happen if someone were to use a fitness app to invite their friends from their hometown to a workout, but we did not recognize that some of their friends had been inactive for many months,” the spokesperson wrote.
“We solved the problem the day after we found it,” says the spokesperson. “We will continue to investigate and continue to prioritize transparency around any major updates.”
The 90-day limit was introduced as part of Facebook’s review of its privacy settings, following the 2018 Cambridge Analytica scandal, in which an estimated 87 million users have their personal data collected by the now-defunct Political consulting firm without consent.
