Facebook has been hit with another data breach scandal, with a security researcher claiming that a third-party app called NameTest left the data of up to 120m Facebook users exposed as recently as just last month.

Within the past few months, Facebook has already seen the Cambridge Analytica controversy, a bug that made private posts public and data-sharing deals with manufacturers that gave them long-standing, broad access to personal information. Like the Cambridge Analytica scandal, this latest breach focuses on a third-party app that encouraged users to take tests.

This breach was discovered by security researcher Inti De Ceukelaire as part of Facebooks Data Abuse Bounty program. After seeing the app among a list of programs his friends on Facebook had installed, he tried it and tracked how his data was processed. He discovered that his personal information, along with that of every other person who had taken the quiz, was being held in a JaveScript file that could easily be requested by any website that knew to ask.

In addition to enabling any site to request data points, NameTest provided those who requested info with an access token that would allow continued access to a users posts, photos and friends data for up to two months.

“Depending on what quizzes you took, the javascript could leak your Facebook ID, first name, last name, language, gender, date of birth, profile picture, cover photo, currency, devices you use, when your information was last updated, your posts and statuses, your photos and your friends,” said De Ceukelaire. “If you ever took a quiz and removed the app afterwards, external websites would still be able to read your Facebook ID, first name, last name, language, gender, date of birth. You would have only prevented this from happening if you manually deleted your cookies, as the website does not offer a logout functionality.”

Theres no indication that the data NameTest gathered was intentionally shared with third-parties as in the Cambridge Analytica case, or that the breach was deliberate, but it is still a worrying example of the kind of breaches that still exist in Facebooks ecosystem.

The process that De Ceukelaire shared also shows that Facebooks Data Abuse Bounty program may need work. According to De Ceukelaire, he reported the issue on 22 April, with Facebook taking eight days to respond. On 14 May, he checked to see if Facebook had contacted NameTests developers, and eight days later was told it could potentially take three to six months to investigate the issue. NameTest finally fixed the issue on 25 June, and De Ceukelaire had to chase Facebook to have the fix acknowledge and confirm his $8,000 reward, which he donated to the Freedom of the Press Foundation.