Data collected on 3 million Facebook users of a suspended app may have been exposed

Earlier today, Facebook announced that it had suspended 200 apps as part of its ongoing investigation into how third parties may have mishandled user data following the Cambridge Analytica trainwreck. But the company didn’t say which apps it had suspended and why. Meanwhile, another report today sheds some light on what kind of data misuse Facebook may be trying to stem.

British magazine New Scientist reported that myPersonality, one of the 200 apps suspended, may have exposed the data of 3 million Facebook users because a username and password granting access to the data was insufficiently secured. More than 6 million users participated in myPersonality, a psychometric test created by University of Cambridge researcher David Stillwell in 2007.

Nearly half of those users, about 3 million, agreed to share data from their Facebook profiles with the app. According to page on University of Cambridge’s website, the app was active until 2012 and created “one of the largest social science research databases in history.” Stillwell worked for the University of Cambridge’s Psychometrics Centre. Aleksander Kogan, the researcher who created the app that Cambridge Analytica allegedly got data of up to 87 million Facebook users from, is a senior research associate at the University of Cambridge’s psychology department. The university says though that he was not a part of the Psychometrics Centre.

More than 280 people who were “collaborators” with the project had access to the data set collected by myPersonality. New Scientist reports that a password and username granting access to the data — posted by students of a university lecturer who had access to the data — had been sitting on GitHub, publicly available, for the past four years. The profile data was scrubbed of user names before being given to the researchers, and the terms of use collaborators had to agree to before getting access to the data included a pledge to not try to de-anonymize the data.

Facebook suspended the myPersonality app on April 7, though it’s unclear when the company learned anyone could have accessed the data. A statement attributed to Facebook VP of partnerships Ime Archibong read: “[W]e are currently investigating the app, and if mypersonality refuses to cooperate or fails our audit, we will ban it.”

New Scientist said that the University of Cambridge told them that the app was created by Stillwell before he joined the University, and “did not go through our ethical approval process.”

In a statement to VentureBeat, Stillwell put the onus on the researcher whose account details were shared, stating that “this is clearly a breach of the terms that academics agree to when requesting a collaboration with myPersonality. Once we learned of this, we took immediate steps to stop access to the account and to stop further data sharing. In nine years of academic collaborations, this is the only such instance where something like this has occurred.”

While Facebook is still investigating mypersonality, the incident is worth noting because it provides some details as to why some of the other 199 apps might have been suspended by Facebook. It’s not likely that all of these apps shared data with a Cambridge Analytica-like firm, but rather, that some of the data obtained by these apps might have been left unsecured, discoverable if someone dug hard enough.

Correction, 3:50 pm. Corrected to reflect that Aleksander Kogan is not a part of the Pscychometrics Centre, according to the University of Cambridge.