Facebook has revealed it has suspended an unspecified number of developers for selling user identification numbers (UIDs) to an unnamed data broker.
UIDs can be linked to a Facebook user's name and potentially associated with actions outside Facebook, privacy advocates warned.
The company has suspended the developers for six months, but said the UIDs involved were not used to access private data.
But Facebook said the actions violated its privacy policies and the developers will be required to submit their data practices to an audit to confirm compliance in future.
"Facebook has never sold and will never sell user information," wrote Facebook engineer Mike Vernal in a blog post.
"We also have zero tolerance for data brokers because they undermine the value users have come to expect from Facebook," he said.
Vernal said company policy states that developers may not pass any data from Facebook to data brokers.
"We are now including anonymous identifiers in this protected category of Facebook data," Mike Vernal said.
Facebook also announced it has reached an agreement with Rapleaf, a data broker that volunteered to work with the social networking firm on the issue.
Rapleaf has agreed to delete all UIDs in its possession. The company has also agreed not to conduct any further activities on the Facebook Platform, said Vernal.
"In taking these steps, we believe we are taking the appropriate measures to ensure people stay in control of their information, while providing developers the tools they need to create engaging social experiences," he said.
Facebook has promised to tighten policies on how UIDs are handled and proposed enabling the optional encryption of UIDs. However, the company added that the issue of information exposed through HTTP referer headers must be addressed by the whole industry.