"It's clear that they shared information with researchers as well as companies with only limited protections in place. As a result, we will notify the roughly four million people who chose to share their Facebook information with myPersonality that it may have been misused," Facebook Vice President of Product Partnerships Ime Archibong wrote in a blog post.
Notification won't extend to friends of those users, though, "given we currently have no evidence that myPersonality accessed any friends' information," he said, noting they would be contacted "should that change."
The 400 suspended apps were among thousands that the company has reviewed since March, after bolstering security and privacy policies in the aftermath of the Cambridge Analytica scandal in which the data analytics firm violated the social media company's policies by collecting the personal data from tens of millions of Facebook users without their permission.
Assessment of the 400 apps recently suspended raised "concerns around the developers who built them or how the information people chose to share with the app may have been used — which we are now investigating in much greater depth," Archibong wrote.
The discoveries have prompted Facebook to change a bevy of policies, including expanding its App Review and instituting a new policy preventing information to be shared with apps that have been used in 90 days.
Earlier this week Facebook said it had purged 652 pages, groups and accounts engaging in coordinated inauthentic behaviour - in some cases originating in Iran and Russia - from Facebook and Instagram.
The social media company was quick to point out that it has yet to find coordination among the accounts. "These were distinct campaigns and we have not identified any link or coordination between them," the company said in a blog post. "However, they used similar tactics by creating networks of accounts to mislead others about who they were and what they were doing."
Calling the people behind the activity "determined and well funded," Facebook said "rooting out" abuse remains a challenge.
The company defended its lengthy probes, which may be difficult to coordinate with law enforcement running investigations of their own. "There is always a tension between taking down these bad actors quickly and improving our defenses over the long term," Facebook said. "If we remove them too early, it's harder to understand their playbook and the extent of their network."
The company was "able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins," wrote Nathaniel Gleicher, head of cybersecurity policy.
"Accounts and pages linked to ‘Liberty Front Press' typically posed as news and civil society organisations sharing information in multiple countries without revealing their true identity," he said.
The accounts attracted about 155,000 followers on Facebook and 48,000 on Instagram.
The second part of Facebook's probe revealed "links between ‘Liberty Front Press' and another set of accounts and pages, the first of which was created in 2016," that "typically posed as news organisations and didn't reveal their true identity," Gleicher said. "They also engaged in traditional cyber-security attacks, including attempts to hack people's accounts and spread malware, which we had seen before and disrupted."
A third segment of the probe in August 2017 "uncovered another set of accounts and pages, the first of which was created in 2011, that largely shared content about Middle East politics in Arabic and Farsi," he said. "They also shared content about politics in the UK and US in English."