Developers had access to private data Facebook users through old api

Information from private groups on Facebook could be accessed by about a hundred third-party developers through an outdated API. It would concern makers of video streaming services and social media apps who had access to users’ names and profile photos.

That happened after Facebook made changes to the Groups API. This enabled developers to create a link between their apps and Groups on the platform. Admins of a group could give an app access to it, where the app makers could view information about the group. In April 2018, Facebook made changes to that API so that app makers could only see the private group name and number of members. For more information, such as the names of the members of a group or their profile picture, the members themselves had to give their consent with an opt-in.

Facebook is now warning that some app developers could still access that information after those changes, even without users’ opt-in. It would involve ‘about a hundred partners’. These are partners of whom Facebook suspects that they have actually looked up the data of group members. At least eleven developers have actually done so in the last two months. Facebook does not say how many developers had access to information from group members. Nor is it known what information the app makers had access to. Facebook writes that it concerns data ‘such as names and profile photos’.

Facebook also does not tell which applications it concerns. The company does say that it has withdrawn access to the API and has addressed the companies. “We see no evidence of abuse at this time,” the company wrote. “We’re asking our partners to delete any member data they’ve collected, and we’ll be checking to make sure that’s done.”