Facebook admitted a flaw allowed around 5,000 third-party app developers to collect personal information of its users after authorised access to the data had expired.
In a blog, Facebook VP of platform partnerships Konstantinos Papamiltiadis explained the issue was linked to a policy implemented in 2018 forbidding apps from accessing non-public information if a user had not used the service for 90 days. This required developers to renew permission.
However, the company admitted a flaw in identifying periods of inactivity resulted in the policy breach.
Papamilitiadis said analysis of “the last several months of data we have available” showed the number of developers which potentially had access to the information. But he said the company had not found “evidence that this issue resulted in sharing information”, and pledged to continue investigating.
The company also introduced new terms and policies to limit the information developers can share with third parties without user consent and clarifying when data must be deleted.
Facebook faced hefty criticism over its data protection policies following the Cambridge Analytica scandal in 2018.