The social media company has confirmed to TechCrunch that it’s investigating the report.
According to the research, trackers are able to gather a user’s data – including name, email address, age range, gender, location and profile photo – depending on what users initially provided to the website.
The scripts were found on 434 of the top 1 million websites, including Fiverr.com and MongoDB.
“We were unaware that a third-party technology was using a tracking script that collects parts of Facebook user data. We have identified the source of the script and shut it down,” MongoDB said when contacted about the report.
It is unclear what the trackers are doing with the data once they obtain it.
In addition, it was discovered that the concert site Bandsintown has been passing login with Facebook user data to embedded scripts on sites that install its Amplified advertising product, which then leads to the ability for any malicious site using Bandsintown to learn the identity of visitors.
“Bandsintown does not disclose unauthorized data to third parties, and upon receiving an email from a researcher presenting a potential vulnerability in a script running on our ad platform, we quickly took the appropriate actions to resolve the issue in full,” Bandsintown said in a statement.
In addition, CEO Mark Zuckerberg admitted under questioning that Facebook also collects “data of people who have not signed up for Facebook,” claiming the practice was done for security purposes.