Social media Master of the Universe Facebook has once again been accused of leaking users personal information via a quiz app over a period of at least two years.

In a situation echoing the Cambridge Analytica scandal earlier this year, Facebook has been accused of leaking the personal info of their users via a quiz app on their platform. Politico reports that the application is called Nametests.com and has been running Facebook quizzes for years, but the application left the personal data of Facebook users who have used the app unprotected on its website, leaving the info vulnerable to third parties who may wish to steal the info.

Belgian hacker Inti de Ceukelaire first noticed the issue and published a blog post explaining the problem. Ceukelaire told Politico: “There was a security leak at one of the most popular quiz apps that was accessible for at least two years. I can only note that Facebook didn’t see this.” Ceukelaire noted that the leaked info includes users pictures, status updates, friends list and much more.

The leak was allegedly reported to Facebook in April via the companies “data abuse bounty” program which rewards users for discovering flaws in the Facebook system, this program was launched following the Cambridge Analytica scandal. Facebook said in April that they had taken note of the bug and paid $8,000 to the Freedom of the Press foundation upon the request of the hacker that discovered the bug.

Ceukelaire stated that user data was at risk once Facebook users opened a quiz run by Nametests.com, popular quizzes made by the company include “What tattoo should you get?”, “What 3 qualities are unique about you?” and “Enhance your profile picture beauty!” Nametests.com is operated by a German company named Social Sweethearts which claims to have 250 million registered users and 3 billion page views per month. If these users accessed the quizzes via Facebook, that could mean that the personal data of 250 million users is at risk.

In a statement to Politico, Social Sweethearts said that “the matter has been carefully investigated” and it found “no evidence that personal data of users was disclosed to unauthorized third parties and all the more that there was no evidence that it had been misused.” The company claimed that the vulnerability had been fixed after they were contacted by Facebook

Facebook’s Vice President for Products and Partnership Ime Archibong stated: “We worked with nametests.com to resolve the vulnerability on their website, which was completed in June.”

Paul-Olivier Dehaye, a privacy activist who has testified before the U.K. and European parliaments about Facebook’s use of personal data, discussed the latest issue in Facebook’s growing list of scandals, saying: “It looks like Facebook’s oversight of the app ecosystem didn’t include technical policing of the security of the apps, but instead relied on contractual terms to take care of that aspect.”