Facebook said on Wednesday it accidentally allowed around 5,000 developers to access data from their app’s inactive users, even though that access should have been cut off. The company explained on Wednesday it recently discovered an issue that had allowed app developers to continue receiving this information beyond the 90 days of inactivity that is meant to cut off data access until the user returns to the app and again re-authenticates.

The social networking company discovered that in some instances apps continued to receive data authorised by users past the 90-day of no login .

The 90 days of inactivity period was set to stop apps from accessing user data from Facebook until someone logins again and re-authenticates the app. From the 91st day of inactivity to the next login, apps connected to the user’s Facebook login should not access their data.

Among several changes to the social network’s API platform, the company declared a tighter review process for using Facebook’s login for third-party apps. Facebook also blocked access to users’ personal data to third-party apps past the 90 days of inactivity period.

On Wednesday, Facebook said they had updated their terms and developer policies. The new terms are set to limit the information app developers can share with third parties without explicit consent from users.