Facebook says it mistakenly let 5,000 developers gather information from people’s profiles after a time limit on their rights had expired.
Apps on Facebook are supposed to be prevented from accessing people’s personal data if the app has not been used for 90 days.
But Facebook said that lock-out had not always worked due to a flaw in how it recorded inactivity.
“We fixed the issue the day after we found it,” the company said.
Facebook has not stated how many users had their personal data scraped.
The harvesting of Facebook users’ personal information by third-party apps was at the centre of the Cambridge Analytica privacy scandal that was exposed in 2018.
Cambridge Analytica’s app on Facebook had harvested not only the data of people who interacted with it, but also that of friends who had not given consent. The company built a vast and lucrative database in the process.
Facebook’s chief executive Mark Zuckerberg faced questioning before the US Congress on how his company dealt with users’ personal information, and Facebook brought in its new policy on 90-day lock-outs for apps later that year.
But Facebook now says the limit did not work properly.
“Recently, we discovered that in some instances apps continued to receive the data that people had previously authorised, even if it appeared they hadn’t used the app in the last 90 days,” the company said in a statement.