Facebook says 100 developers might have improperly accessed Groups member data

Facebook says that even after it locked down its Groups system last year, some app developers retained improper access to information about members. A company blog post reports that roughly 100 developers might have accessed user information since Facebook changed its rules in April of 2018, and at least 11 accessed member data in the last 60 days. It says it’s now cut all partners off from that data.

Facebook Group administrators can use third-party tools to manage their groups, giving apps information about its activity. Since the changes last year, developers shouldn’t be able to see individual members’ names, profile pictures, or unspecified other profile data. Facebook platform partnerships head Konstantinos Papamiltiadis says a recent security review found that some apps still had access, however.

Papamiltiadis says there’s no evidence that partners have abused their access, but he says Facebook has asked them to delete any improperly obtained information and will conduct audits to confirm it’s gone.

Facebook didn’t disclose the names of these roughly 100 developers. Papamiltiadis only says that the apps were “primarily social media management and video streaming apps, designed to make it easier for group admins to manage their groups more effectively and help members share videos to their groups.” We also don’t know exactly what information was involved besides names and photos, nor how many users and groups the apps served.

Facebook locked down the Groups application programming interface (API) as part of a general crackdown after the Cambridge Analytica data-sharing scandal. It added rules that required developers to get approval from Facebook before using the Groups API, then relaunched the system with new features in July, suggesting that it was trying to implement real oversight — so it’s a little surprising that these apps slipped through the cracks.