Facebook Data: Information Shared With Third-Party App May Not Have Been Protected

In the months following the revelations regarding the Cambridge Analytica data breach at Facebook, social media users have discovered additional ways in which their information may have been misused.

A new investigation done by New Scientist magazine found that people who used the third-party quiz application called myPersonality may have been put at risk for even greater exposure.

The app allowed users to take psychometric tests and share their Facebook data, resulting in one of the "largest social science research databases in history," according to the myPersonality information page on the University of Cambridge's website. Created in 2007, the app collected information until 2012.

Researchers working with the myPersonality project, including app creator David Stillwell, shared anonymous samples from the project with other researchers around the world, according to myPersonality. The data from more than six million users was used in more than 45 peer-reviewed research publications, according to Cambridge. About half of those users who took part in the myPersonality app questions also shared the data from their Facebook pages, New Scientist reported.

But New Scientist said research showed that the data was not properly stored online and that the website had "insufficient security provisions." The data was vulnerable for years while the platform stayed open, New Scientist said.

A username and password was required to access the data online, but New Scientist reported that finding a valid username and password online was easy and could be done in "a single web search." This made the information myPersonality gathered easy for nearly anyone to access and tracking who accessed it nearly impossible.

"We were concerned to find out on 28th April that the account details from a professor of computer science at the University of Michigan have been shared on a public webpage. This is clearly a breach of the terms that academics agree to when requesting a collaboration with myPersonality," the myPersonality project told Newsweek in a statement. The project said after learning of the sharing it took the necessary steps to stop access to the account.

Users who wished to access the data without using the username and password publicly posted online had to register as a collaborator on a project, New Scientist reported—and more than 280 people did just that. Those people had to have permanent contracts and they were "vetted," according to the statement from myPersonality.

While the data sets were allegedly anonymous, the information the app collected was still highly personal and "deanonymizing would not be hard," New Scientist reported.

Facebook announced Monday that, as part of its investigation following the Cambridge Analytica revelation, "around 200" apps were suspended and would be thoroughly investigated.

Facebook did not immediately respond to Newsweek's request for comment.

This illustration picture taken on April 19, 2018 in Paris shows the tablet and smartphone app for Facebook. Lionel Bonaventure/Getty Images