Facebook says it fixed a bug on August 24 that had allowed users with both an app and a Facebook Ads account to access the Facebook Analytics data of other apps.
10 advertisers accessed the analytics data of 21 apps during the three weeks the bug was live.
Though it affected a limited number of accounts, the news comes at a time of heightened awareness around data security and follows other mea culpas from the company.
For three weeks in August, a small number of Facebook advertisers figured out they could access the aggregated Facebook Analytics data of other apps.
Facebook says a bug was introduced as the result of a code change on August 2. The bug enabled users with both an app and Facebook advertising account to view SDK data in Facebook Analytics of other apps that also have Facebook Ads accounts. Facebook is able to identify the accounts involved and says 21 app owners had their Facebook analytics data accessed by 10 advertisers.
“Due to a bug in our system, a handful of advertisers were able to view the dashboards of other Facebook Analytics advertisers. No personal information about people on Facebook was shared. We’re sorry for the error and have fixed the issue,” said Joe Osborne, a Facebook spokesperson.
The company says it was alerted to the issue by a customer on August 24 and fixed the bug within two hours. It then began analyzing the impact, and Facebook has been contacting the app owners and advertisers involved this week.
How it worked, what data was accessed
Facebook believes most of the advertisers happened upon the bug while using the Facebook Pixel Helper, a Chrome browser plug in to help users identify when the Facebook Pixel is installed properly on a site. Using that tool, it’s easy to find a site’s Pixel ID. The advertisers were able to search another site’s ID that also has an app in Facebook Analytics and access their app data dashboards. That is not supposed to be possible.
The dashboard data includes aggregated performance reports on metrics such as new users, unique users, app installs and media sessions length. It would also have been possible for the advertisers to click into the main insights pages for those metrics. They would not be able to access the apps’ Facebook Ads accounts, however, even if they were linked to the Facebook Analytics accounts, the company says.
Audit and follow up
Facebook is able to see what users do within Facebook Analytics, so it can tell what accounts an advertiser accessed and how long they spent in the accounts. The company doesn’t believe, at this point, that there was malicious intent, but can’t guarantee competitors didn’t see the data.
The company says it is conducting an audit of whether any advertisers retained any of the data (presumably having learned from taking Cambridge Analytica’s word it had deleted its Facebook data) and asking why and how they accessed the accounts.
It’s unclear if there will be any consequences for the advertisers if it’s determined they accessed the accounts simply out of curiosity. Accessing data without authorization is against Facebook’s terms of service, even in the case of a bug.
Facebook says it has made changes to its processes and added back-end systems improvements to ensure this doesn’t happen again.
In June, Facebook apologized to developers for an error that caused it to send weekly app performance reports to app testers who often work outside of the developers’ companies. That error affected roughly 3 percent of Facebook Analytics users. As with this bug, recipients saw aggregated app performance metrics, but no personal information.
The company has been working to shore up platform privacy across its ecosystem and to be more forthcoming in these situations. But as Facebook is now well aware, it’s running out of sorries.
Comments