The social media giant said around 5,000 developers were mistakenly granted unauthorised access to “non-public information” in breach of the company’s own rules.
It has not revealed how many users were affected.
The admission comes two years after Facebook pledged to lock out third party app data access if the service had not been used for 90 days following the Cambridge Analytica scandal, which harvested people’s data – and that of their friends who had not given consent – via permissions granted from “personality test” quizzes inside the social network.
The data leak appears to breach Facebook’s own rules governing personal information access that it brought in following the incident, which saw founder Mark Zuckerberg grilled by US congress about how it used people’s information.
It is understood the newly discovered data leaks include both internal apps, such as games, and also external platforms where users can login using their Facebook credentials to avoid a separate sign-up process.
The latest admission again spotlights the volumes of personal data users sign away when they grant approval to apps – as the tech firm said it had not “seen evidence” that shared data was “inconsistent with the permissions people gave”.
Facebook said the “non-public information” may have included a person’s email address, birthday and gender when Facebook was used to “sign into apps”, even if they had not used the service for 90 days.
The social network gave the example of a data leaking from fitness app where a user had invited a friend to a workout, but the recipient’s usage was dormant for a long time.
Facebook’s vice-president of platform partnerships, Konstantinos Papamiltiadis, said: “Recently, we discovered that in some instances apps continued to receive the data that people had previously authorised, even if it appeared they hadn’t used the app in the last 90 days.”
He added: “We currently estimate this issue enabled approximately 5,000 developers to continue receiving information – for example, language or gender – beyond 90 days of inactivity.”
Mr Papamiltiadis said the bug had been fixed to help “strengthen data security requirements and clarify when developers must delete data”
Kiran Bhagotra, chief executive of cybersecurity comparison site ProtectBox, said: “There are a myriad of ways that Facebook shares user data, such as software development kits and social plug-ins.
“From personal experience of building apps, it’s very hard for Facebook to restrict the data it makes available to third-party developers and to enforce accountability for ways they use personal information - it takes two to tango.
“Each app can access various subsets of people’s data, depending on permissions that the user agrees to.
She added: “If you’re unhappy with your data being used in any way that you can think of, then don’t tick that ‘agree’ box, or just don’t use that service."