Facebook revealed on Wednesday that it continued to share data with third-party developers even after 90 days of user’s inactivity. The social media giant added a 90 days limit for apps in April 2018 following the infamous Cambridge Analytica scandal which prompted a wave of ‘delete Facebook‘ calls across the internet.
According to Facebook’s blog post, the flaw allowed approximately 5,000 developers to access user data. The developers shouldn’t have been able to access the data if Facebook users don’t use their app for 90 days.
“From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving information beyond 90 days of inactivity as recognized by our systems,” wrote Facebook’s VP of Platform Partnerships Konstantinos Papamiltiadis.
Facebook claims to have fixed the issue the day after they discovered it. The company, however, did not reveal how many users were impacted by this problem. The compromised data includes, but is not limited to, language and gender. However, the social media giant clarifies that the apps did not have additional permissions to user data. In other words, the app’s access to data was limited to what the user had previously allowed when using it.
In the same blog post, the company has announced new platform terms and developer policies to prevent such incidents from happening in the future. The company says that businesses and developers are required to comply with their new policies. According to Papamiltiadis, these new terms will “limit the information developers can share with third parties without explicit consent”. The new guidelines will also require developers to delete data if it is no longer needed.