Facebook data on 3 million users reportedly exposed through personality quiz

illustration by Alex Castro / The Verge
If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Facebook data on more than 3 million people who took a personality quiz was published onto a poorly protected website where it could have been accessed by unauthorized parties, according to New Scientist. In a report exposing the potential leak, New Scientist says that the data contained Facebook users’ answers to a personality trait test. While it didn’t include users’ names, in many cases it contained their age, gender, and relationship status. For 150,000 people, it even contained their status updates.

All that data was supposed to be accessible only to approved researchers through a collaborative website. However, New Scientist found that a username and password that granted access to the data could be found “in less than a minute” with an online search, enabling anyone to download the trove of personal information.

The data was gathered by a psychology test called myPersonality, according to New Scientist. Around half of the test’s 6 million participants are said to have allowed their information be anonymously shared with researchers. The team behind myPersonality let any researcher who agreed to use the data anonymously sign up to access the information that had been collected; in total, 280 people were given access, including employees of Facebook and other major tech companies, according to the report.

The basics here all sound remarkably similar to what happened with Cambridge Analytica, which gained access to information from more than 87 million Facebook users thanks to a personality test called thisisyourdigitallife. In both cases, the tests were initially made by University of Cambridge researchers. And both even had one researcher in common: Aleksandr Kogan.

Kogan was the creator of thisisyourdigitallife, and according to New Scientist, he was listed as part of the myPersonality project until mid-2014; it sounds as though the project began around 2009. The University of Cambridge told New Scientist that myPersonality was started before its creator joined the university and did not go through its ethics review process.

It’s not known whether the data was improperly accessed using the publicly available username and password. A Facebook spokesperson told New Scientist that the app was being investigated and would be banned if it “refuses to cooperate or fails our audit.” As part of its ongoing investigation into misuse of user data, Facebook said this morning that it had so far suspended 200 apps pending review. That included myPersonality.

While a leak of 3 million users’ data is far smaller than the 87 million obtained by Cambridge Analytica, the story still serves as another warning of how easily this information can spread around and just how detailed it can be. One of the bigger issues here is that, even though the data was supposed to be anonymized, New Scientist points out that it easily could have been re-identified using the extra Facebook information attached to each personality test.


CA who abused Facebook’s algorithm to collect user data is put on the same level of severity as a website which lacks security to secure user data??

These quizzes are doing exactly what they’re supposed to. Gathering better data about you!!! This is why I have very little info posted on Facebook. Just there for old friends to find me. It has worked. I don’t take any quizzes. I’m not in any of this social crap. Friends and Family can phone me, text me, or e-mail me. I limit what I do on Google. I use DuckDuckGo most of the time on my Searches. I don’t use Android. You can’t flee from being spied on using Android. Or a iPhone and using Google’s services.

I don’t use twitter. I don’t give a crap about most people’s LIVES. I don’t need to see strangers daily lives. Facebook’s problem with the other company was collecting User info themselves instead of going through Facebook and paying them for it.

Well, to all the users of Facebook, if you haven’t learned not to fill out quizzes on this platform then you are obviously part of the problem.

At some point the responsibility for user privacy needs to start with the users.

I was watching TV the other day and normally I just have it on in the background as I work or do something else. I noticed a commercial from the corner of my eye and its tone seemed different then the standard "selling you something" approach. Turns out it was a Wells Fargo ad apologizing for how they messed up and lost consumer trust. This was followed immediately by a commercial from Facebook doing the same exact thing, apologizing for losing users trust and trying to remind them we all like looking at baby photos and liking each others horribly filmed party videos.

Funny how this is becoming the standards now. Companies aren’t advertising a product or a new service, they’re apologizing for letting customers down and manipulating/extorting them in some fashion. Just shows that so many companies will have the mindset of doing whats wrong until they get caught rather than trying to do whats right to build loyalty first.

View All Comments
Back to top ↑