A Wall Street Journal investigation has revealed that Facebook’s most popular applications are transmitting identifying information about users and their friends to dozens of advertising and internet tracking companies. The breach affects tens of millions of Facebook users, including those who have set their profiles to the site’s most restrictive privacy settings.
The investigation found that applications including FarmVille, Texas HoldEm Poker, and FrontierVille have been passing user ID numbers to outside advertising and data collection firms, a direct violation of Facebook’s own privacy policies. For bloggers and publishers who have built audiences on Facebook, this revelation raises serious questions about platform security and user trust.
How the data leak works
The mechanism behind the leak involves something called an HTTP referer. When Facebook users interact with third-party applications, these apps transmit the user’s unique Facebook ID number to advertising companies through the browser’s referer function. According to CSO Online’s analysis, this information can then be used to look up the user’s name and any data they’ve set to public on their Facebook profile.
What makes this particularly concerning is the scale. FarmVille alone has 59 million users. The Wall Street Journal investigation found that the app was not only transmitting user IDs but also information about users’ friends. This means a single person playing FarmVille could inadvertently expose data about dozens of people in their network.
For years, data companies have been collecting information about anonymous users, building profiles of browsing behavior, purchases, and interests. But they couldn’t attach real names to those profiles. Once an application like FarmVille passes along a Facebook ID, advertisers can suddenly connect all that accumulated data to a specific person. The anonymous folder becomes a named dossier.
Harlan Yu, a computer science graduate student at Princeton who investigated the leak independently after the Journal’s report, told NPR that this represents a significant privacy breach regardless of Facebook’s characterization of the issue.
Facebook’s response falls short
Facebook’s initial response has been to downplay the severity of the breach. Mike Vernal, a Facebook engineer, wrote on the company’s developer blog that press reports had “exaggerated the implications” of sharing user IDs. The company claimed that in most cases, developers did not intend to pass this information and that it happened due to technical details of how browsers work.
This explanation is inadequate on multiple levels. First, Facebook’s own privacy policy explicitly forbids application developers from sharing user data with outside companies. Whether the violation was intentional or not, it still occurred on a massive scale. Second, this is not the first time Facebook has faced this exact issue. A similar breach was exposed by the Wall Street Journal in May 2010, just five months earlier.
The pattern suggests systemic problems rather than isolated technical glitches. Facebook shut down one app company, LOLapps Media, on Friday for transmitting user IDs. But the fact that ten of Facebook’s most popular applications were all leaking data in the same way points to architectural vulnerabilities that go beyond individual developer mistakes.
IDC analyst Hadley Reynolds stated that Facebook needs to take responsibility for lax enforcement of its own guidelines. The company should re-engineer its APIs to force applications to explicitly request permission from individuals for data access, making it impossible for apps to transmit information without user knowledge.
The broader context of Facebook privacy
This latest scandal follows a troubling pattern for Facebook. In April 2010, the company launched Open Graph, which allowed third-party developers to access not just a user’s personal data but also data from their friends’ profiles. Privacy advocates immediately raised concerns about the implications of this architecture.
The Electronic Privacy Information Center has been warning about Facebook’s data handling practices for years. The combination of weak developer oversight, aggressive data sharing with advertisers, and APIs that enable surveillance by design creates an environment where privacy breaches are inevitable rather than exceptional.
For bloggers and content creators, this matters because Facebook has become essential infrastructure for audience building. Facebook pages, groups, and app integrations are now standard tools for reaching readers. But if the platform cannot protect user data, publishers face a difficult choice between growth and the privacy of their communities.
What this means for users and publishers
The immediate practical impact is clear: using Facebook applications exposes you and your friends to tracking by advertisers and data brokers. Even the strictest privacy settings offer no protection because the leak occurs through the applications themselves, not through your profile visibility settings.
Users who want to protect their privacy have limited options. They can stop using Facebook applications entirely, but given the popularity of games like FarmVille, many will be reluctant to do so. They can adjust their privacy settings, but as this breach demonstrates, those settings are only as strong as Facebook’s enforcement of its own policies with third-party developers.
For publishers, the implications extend beyond personal privacy concerns. If you’ve encouraged your audience to engage with your Facebook presence through apps, games, or interactive features, you may have inadvertently exposed them to data collection they didn’t consent to. The trust relationship between publisher and reader includes responsibility for the tools and platforms you direct them toward.
The technical fix and the trust problem
Facebook says it is working on technical systems to prevent the sharing of user IDs in the future. But technical fixes don’t address the underlying issue: Facebook’s business model depends on data collection and targeted advertising. The platform has powerful incentives to make user data accessible to advertisers, even as it publicly promises privacy protection.
This creates a fundamental tension. Facebook needs user trust to keep people on the platform. But it also needs advertiser access to user data to generate revenue. Every privacy scandal reveals how the company resolves that tension in favor of advertisers.
Chris Soghoian, a security researcher, pointed out to NPR that while this particular breach involved Facebook apps, the underlying problem exists across the web. HTTP referers and similar browser mechanisms create privacy vulnerabilities wherever they’re used. But Facebook’s scale and the sensitivity of the data it holds make breaches there particularly consequential.
Where we stand now: 2026 update
Fifteen years after this scandal broke, the dynamics it revealed have only intensified. What seemed like isolated incidents in 2010 were actually glimpses of a surveillance infrastructure being built in real time. The Open Graph API that enabled this breach would later facilitate the Cambridge Analytica scandal, where 87 million Facebook profiles were harvested for political targeting.
By 2025, Meta platforms including Facebook, Instagram, and WhatsApp rank among the most privacy-invasive services available. According to Incogni’s 2025 Social Media Privacy Ranking, these platforms collect extensive categories of personal data including health information, location data, and detailed behavioral profiles. The digital advertising market has grown to $259 billion, with Facebook deriving 98% of its revenue from ads.
The trust collapse that began with incidents like the FarmVille breach has reached a tipping point. Meta faced a $1.3 billion fine from the EU in 2023 for privacy violations. User surveys show that 81% of Americans feel uncomfortable with how companies use their data. The casual attitude toward privacy that characterized Facebook’s 2010 response is no longer tenable.
For bloggers and publishers, the lesson from 2010 remains relevant: platforms built on advertising will always face tension between user privacy and revenue generation. Building a sustainable publishing business means understanding that tension and creating resilience through owned channels like email lists, diversified platform presence, and direct reader relationships that don’t depend entirely on algorithmic intermediaries.
The advertisers knew more than they should in 2010. Today, they know everything. The question is whether we’ll continue building on systems designed for surveillance, or start demanding something different.
