Facebook Inc. said it unknowingly gave outside developers access to private user information shared within some groups on its main social network, including the names and profile photos of people who were part of those groups.
The company disclosed the issue Tuesday, saying that for the past 18 months some third-party developers who used Facebook’s Groups API — a software program that allows for information sharing between Facebook and outside developers — could see which users shared posts or left comments inside a group, even though they weren’t supposed to have that level of detail. Access to that information has now been removed or limited, the company said.
Beginning in April 2018, Facebook restricted access so that these outside partners could only see the text of posts or comments from inside groups, but not the names or photos of the people who shared them. The company discovered in a recent review that this additional information was also being shared. This API is popular with developers who build programs to manage Facebook groups focused on topics like customer service.
The Menlo Park, California-based company said it is reaching out to 100 third-party developers who had access to the data that was supposed to have been restricted. Facebook said in a blog post that it has seen no evidence of abuse, but “we will ask them to delete any member data they may have retained.” A company spokesman declined to say how many users were affected.
These types of APIs were also at the center of Facebook’s data scandal in early 2018, in which an outside researcher collected personal information from Facebook users and sold it to Cambridge Analytica, a political consulting company. Facebook has since promised to crack down on its data sharing, and announced in September that it had suspended “tens of thousands” of outside developers that had access to some Facebook data.