Facebook has confirmed an ongoing investigating into a security report that claims that users' data on the social network can be grabbed by third-party JavaScript trackers on websites using Login With Facebook.

The exploit allow the trackers to accumulate data on a user, including: name, email address, gender, location, and picture, which may depend on the users provided privacy options available to the public. And the exploitation script is able to infiltrate the database to extract identifying information, even from web pages, browser password managers, and form input systems.

Login with Facebook is a simple social login system that makes the account creation process for users easier by eliminating the manual input of users information, and also eases login by eliminating the use of passwords.

According to Steven Englehardt security research, the exploitative scripts were discovered on over 400 of the top one million websites in the world including cloud database provider, MongoDB.

While some sites were found to be bypassing Login With Facebook user data to embedded scripts that install its Amplified advertising product with iframe that would load on these sites, pulling in user data that was then accessible to the embedded scripts, thus allowing the identification of visitors.

This is certainly not the best of times for Facebook's CEO, Mark Zuckerberg with the company already grappling with the Cambridge Analytica scandal, and the requirements to comply with Europe’s GDPR law.

It's really frightening to see how Facebook users data can be exploited even outside the social platform, notwithstanding Facebook’s recent API changes designed to safeguard users privacy.