View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 6, 2019

Facebook Groups API Fix Fails, Causing Another Data Breach

"Some apps retained access to group member information for longer than we intended..."

By CBR Staff Writer

Facebook says privacy-enhancing measures made to the Facebook Groups API in April 2018 didn’t work effectively, with group member data wrongly disclosed to third-party apps as a result, in yet another data breach by the social media company.

That should have ended early last year, after the company tweaked the Facebook Groups API. Prior to the April 2018 changes, group admins could authorise a third-party app to plug in to a group, giving the app developer access to information in the group.

After last year’s changes, even with a Facebook group admin’s approval, the third-party application would only get the group’s name, number of users, and the content of posts; group members had to opt-in for the application to get their details too.

But a number of apps have still been accessing personal data in recent weeks, the company admitted, saying it saw “no evidence of abuse”.

“We recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than we intended. We have since removed their access,” Facebook’s Konstantinos Papamiltiadis – director of platform partnerships – wrote on the company’s developers page on Tuesday.

Facebook Groups API Breach: “At Least 11 Partners Accessed Group Members’ Information in the Last 60 Days”

The data breach comes four months after Facebook paid out $5 billion to settle Federal Trade Commission (FTC) charges that the company deceived users about how it was using their private information. The deal was panned by some critics, despite the record fine. FTC commissioner, Rohit Chopra was particularly scathing.

He said the agreement “doesn’t fix the incentives causing these repeat privacy abuses. It doesn’t stop Facebook from engaging in surveillance or integrating platforms. There are no restrictions on data harvesting tactics — just paperwork.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Papamiltiadis played down the breach this week.

He wrote: “We are also reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API… We know at least 11 partners accessed group members’ information in the last 60 days.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained.”

He added: “The new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products. As we continue to work through this process we expect to find more examples of where we can improve, either through our products or changing how data is accessed. We are committed to this work and supporting the people on our platform.”

The apps with access were mostly social media management and video streaming apps, designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups, he noted.

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.