Facebook has admitted that an “issue” with the system caused it to share user data with 5,000 developers after 90 days of inactivity. In 2018, Facebook announced that it would automatically prevent apps using Facebook Login from getting user data if the user has not used the particular app in the last 90 days.
However, as per the post on Facebook’s news page, around 5,000 developers continued to receive information even though the users had been inactive for 90 days. The social networking giant states that it discovered this issue recently and had fixed it the next day. Facebook did not say how many users were affected by this lapse.
Like Sign in With Apple, or Google Login, Facebook Login allowed app developers to get users to sign up without having to create a fresh account — and it also gave developers access to some data from Facebook. Since this affects third-party apps, it’s not clear what data precisely was being accessed, or how many users were affected by this.
In a post on Facebook, Konstantinos Papamiltiadis, VP of Platform Partnerships at Facebook, wrote that “in some instances, apps continued to receive the data that people had previously authorized, even if it appeared they hadn’t used the app in the last 90 days.”
This 90-day lockout rule was introduced in 2018 as a means to protect user privacy and data when users use Facebook to sign in to other apps. Papamiltiadis stated that Facebook estimates approximately 5,000 developers continued to receive user information like language settings or user gender after 90 days of inactivity.
“We haven’t seen evidence that this issue resulted in sharing information that was inconsistent with the permissions people gave when they logged in using Facebook,” Papamiltiadis added, and said that the issue was fixed the day after it was found and that the social media giant will continue to investigate and “prioritize transparency around any major updates.”
Facebook did not clarify what all information and user data were accessed by the developers but it did give an example of a case where this issue could have caused unauthorized sharing of data. It stated that “this could happen if someone used a fitness app to invite their friends from their hometown to a workout, but we (Facebook) didn’t recognize that some of their friends had been inactive for many months.”