According to information security specialists, about one hundred web application developers may have had inadequate access to the data of millions of Facebook users, as the company made a mistake that led to the revocation of some restrictions on the access to this information.
Because the data breach was publicly disclosed
only through Facebook’s developer blog, this incident went almost completely
unnoticed, except for some members of the cybersecurity community.
Although over a year ago Facebook group access parameters were updated, during this incident users’ names and profile photos, in addition to their activity logs in certain groups, remained accessible to specific developers, mentioned the company’s publication.
In addition, information security specialists point
out of the nearly 100 developers with this access through the Facebook Groups
API, at least a dozen would have been actively consulting this information over
the past two months.
It should be noted that, before April 2018,
Facebook group administrators could give app developers access to the group
information. After the update in the group APIs, when an administrator
authorized an app, developers can only access data such as group name, number
of participants, and posts content.
These API updates are part of the measures
implemented by Facebook after the Cambridge
Analytica scandal was revealed, with which the company sought to
improve its data usage policies for users and the companies that can access
them.
Facebook claims that it has asked the
developers involved to delete any records of information obtained through this
improper access, adding that it will conduct some security audits to verify
that this process is properly complied with. However, many information security
experts believe that the company is not acting with full transparency, as the
names of the developers, apps or Facebook groups involved were not disclosed,
arguing security reasons.
Finally, the social media giant assured its
users (although the message was addressed to developers) that until now there
is no evidence to demonstrate abuse of this anomalous access; although when it
comes to Facebook, data privacy always seems breached in one way or another.
This has been a convulsed year for Facebook in
terms of data breach incidents, so authorities in various parts of the world
have made relevant decisions. A few months ago, information security
specialists from the International Institute of Cyber Security (IICS) reported
a landmark decision by the Federal Trade Commission (FTC), which decided to
impose a record $5 billion USD fine on Facebook for its multiple practices that
violate various user data protection laws; still, many consider that this fine
remains insufficient to put real pressure on these companies.
