Facebook confirms to TechCrunch that it's investigating a security research report that shows Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The exploit lets these trackers gather a user's data including name, email address, age range, gender, locale, and profile photo depending on what users originally provided to the website. It's unclear what these trackers do with the data, but some of their parent companies sell publisher monetization services based on collected user data.

The abusive scripts were found on 434 of the top 1 million websites including cloud database provider MongoDB. That's according to Steven Englehardt and his colleagues at Freedom To Tinker, which is hosted by Princeton's Center For Information Technology Policy.

Meanwhile, concert site BandsInTown was found to be passing Login With Facebook user data to embedded scripts on sites that install its Amplified advertising product. An invisible BandsInTown iframe would load on these sites, pulling in user data that was then accessible to embedded scripts. That let any malicious site using BandsInTown learn the identity of visitors. BandsInTown has now fixed this vulnerability.

TechCrunch is still awaiting a formal statement from Facebook beyond "We will look into this and get back to you."

[Update 4/19/18 10:15am: A Facebook spokesperson now tells us "Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests."]

After TechCrunch brough the issue to MongoDB's attention this morning, it investigated and just provided this statement "We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down."

BandsInTown tells me "Bandsintown does not disclose unauthorized data to third parties and upon receiving an email from a researcher presenting a potential vulnerability in a script running on our ad platform, we quickly took the appropriate actions to resolve the issue in full." [Correction: Two sites listed by the researchers have confirmed via fraud prevention service Forter that they did not host any exploitative trackers, or that their trackers did not have access to Facebook data. They've been removed from the research paper and subsequently from this article. Two of the tracker companies have confirmed they don't collect Facebook data, and we've removed them as well.]

The discovery of these data security flaws comes at a vulnerable time for Facebook. The company is trying to recover from the Cambridge Analytica scandal, CEO Mark Zuckerberg just testified before congress, and today it unveiled privacy updates to comply with Europe's GDPR law. But Facebook's recent API changes designed to safeguard user data didn't prevent these exploits. And the situation shines more light on the little-understood ways Facebook users are tracked around the Internet, not just on its site.

"When a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site" writes Englehardt. This chart shows that what some trackers are pulling from users. Freedom To Tinker warned OnAudience about another security issue recently, leading it to stop collecting user info.

Facebook could have identified these trackers and prevented these exploits with sufficient API auditing. It's currently ramping up API auditing as it hunts down other developers that might have improperly shared, sold, or used data like how Dr. Aleksandr Kogan's app's user data ended up in the hands of Cambridge Analytica. Facebook could also change its systems to prevent developers from taking an app-specific user ID and employing it to discover that person's permanent overarching Facebook user ID.

Revelations like this are likely to beckon a bigger data backlash. Over the years, the public had became complacent about the ways their data was exploited without consent around the web. While it's Facebook in the hot seat, other tech giants like Google rely on user data and operate developer platforms that can be tough to police. And news publishers, desperate to earn enough from ads to survive, often fall in with sketchy ad networks and trackers.

Zuckerberg makes an easy target because the Facebook founder is still the CEO, allowing critics and regulators to blame him for the social network's failings. But any company playing fast and loose with user data should be sweating.