Facebook said it gave outside developers access to private user information shared within some groups on its main social network, including the names and profile photos of people who were part of those groups.
The company recently found that some apps retained access to group member information, like names and profile pictures in connection with group activity, from the Groups API, for longer than the social network intended.
This means that third-party developers who used Facebook’s Groups API -- a software program that allows for information sharing between Facebook and outside developers -- could see which users shared posts or left comments inside a group, even though they weren’t supposed to have that level of detail.
Facebook has removed their access, and is reaching out to roughly 100 partners who may have accessed this information since we announced restrictions to the Groups API. Facebook know sat least 11 partners accessed group members’ information in the last 60 days. Although the company says it has seen no evidence of abuse, it will ask them to delete any member data they may have retained and will conduct audits to confirm that it has been deleted.
Beginning in April 2018, Facebook restricted access so that these outside partners could only see the text of posts or comments from inside groups, but not the names or photos of the people who shared them.