Facebook confesses 100 devs may have accessed leaked Groups data
Even after Facebook locked down its Groups API in April 2018 to keep developers from accessing user data – including the names and profile pictures of people in specific, sometimes secret, groups – roughly 100 developers might still have gotten at that user information, the platform said on Tuesday.
Konstantinos Papamiltiadis, Facebook’s director of platform partnerships, said in a News for Developers post that the access has inappropriately been left open and that data may have been accessed by some developers for over a year. “At least” 11 partners accessed group members’ information in the last 60 days, he said.
When it made the change in April 2018, Facebook explained that at the time, apps needed the permission of a group admin or member to access group content for closed groups, and the permission of an admin for secret groups.
The apps help admins do things like easily post and respond to content in their groups. Facebook said that it wanted to better protect information about group members and conversations, so it changed things around: with the newly locked-down Groups application programming interface (API), any third-party app would need approval from Facebook and an admin to ensure that the apps were actually benefitting the group.
It shut down the apps’ ability to access the member list of a group and removed personal information, such as names and profile photos, attached to posts or comments that the approved apps could access. After April 2018, if an admin authorized an app’s access, it would only get information such as the group’s name, the number of users, and the content of posts.