The sales were uncovered as Facebook investigated a web browser bug that let user IDs be shared inadvertently. The user details were sold to data brokers who used the information to target adverts more precisely. The developers have been banned for six months from connecting to Facebook and must be audited to check they comply with the social network’s policies.
Facebook started investigating what was happening with user identifiers (UIDs) following media reports that the information and lists of contacts were being sold on to advertising firms.
In a blog post, Facebook said its investigation showed that the technical demands of some browsers meant that some user IDs were being leaked.
It also discovered that some developers that create applications for the social network were taking the user IDs of those who used their creations and selling them on.
Despite this, it said, it took the breach “seriously” and had imposed a six-month ban on the developers it caught out.
Facebook said the investigation “determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data”.
Facebook did not identify which developers were being punished and only said there were fewer than a dozen of them and none had any applications in the top 10 most popular used on the social network.
It named ad-targeting firm Rapleaf as one of the data brokers which had been buying UIDs. It said it had reached an agreement with the firm which would end Rapleaf’s involvement with any application on Facebook now and in the future.