Facebook has admitted that it wrongly shared the personal data of ‘inactive’ users for longer than it was authorized to, as revealed in a blog post from the company.
The social media giant estimates the error saw around 5,000 third-party app developers continue to receive information about users who had previously used Facebook to sign into their apps, even if users hadn’t used the app in the past 90 days.
Exceeding that time frame goes against Facebook’s policy, which promises third-party apps would no longer be able to receive personal information about a user if they had not accessed the app within the last 90 days.
While the company didn’t confirm how many people were affected, it said personal information shared with third-party apps could include email addresses, birthdays, gender or language spoken.
How did this happen?
According to a spokesperson for Facebook, if an active user was Facebook friends with an inactive user through a third-party app, the app could continue to receive data that the inactive user had previously authorised.
“For example, this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we didn’t recognize that some of their friends had been inactive for many months,” the spokesperson wrote.
“We fixed the issue the day after we found it,” says the spokesperson. “We’ll keep investigating and will continue to prioritize transparency around any major updates.”
The 90-day limit was introduced as part of Facebook’s overhaul of its privacy settings, following the Cambridge Analytica scandal in 2018 which saw an estimated 87 million users have their personal data harvested by the now defunct political consulting firm without consent.
