Facebook filed a federal lawsuit in California on Thursday against OneAudience, a marketing company that it says paid app developers to exploit the “login with Facebook” feature to improperly gain access to personal data without users’ permission.

The social media company claims that OneAudience harvested users’ data by getting app developers to install a malicious software development kit, or SDK, in their apps. SDKs are packages of basic tools that make it easier and faster for developers to build their apps. But they may also contain tools that aren’t necessary, such as trackers that send information about your device and app usage back to the SDK maker, which it can then use to target ads to you. OneAudience’s SDK, Facebook claims, collected data improperly from Facebook users who opted to log in to certain apps using their Facebook account credentials.

OneAudience did not immediately respond to a request for comment.

According to the lawsuit, OneAudience also paid apps to harvest users’ Google and Twitter information when they logged into one of the compromised apps using their Google or Twitter account information.

The suit shows the potential privacy downsides of opting to use your Facebook (or Twitter or Google) credentials to log in to new accounts instead of creating a unique username and password. That’s because logging in with Facebook attaches that account to the website or app to which you’re signing in. That also means the website (or app) and Facebook get some of your user data from each other (you can control some of the information that is shared, but not all of it). And, as Facebook claims happened in this case, this can give bad actors access to your data, too.

Back in November, Facebook and Twitter said that OneAudience had been harvesting private data, such as people’s names, genders, emails, usernames, and potentially people’s last tweets. Facebook launched an audit into the company’s behavior, which the company says OneAudience did not cooperate with. At the time, OneAudience said the data “was never intended to be collected” and that the SDK had been shut down. Hundreds of users were reportedly affected.

In the years since the Cambridge Analytica scandal in 2016, Facebook has faced a torrent of criticism for not doing enough to protect its users’ data. This move to sue a company for improperly collecting users’ information is a sign it’s trying to do better — and it’s also a way to publicly emphasize that it’s not at fault for this breach.

“This is the latest in our efforts to protect people and increase accountability of those who abuse the technology industry and users,” wrote Jessica Romero, Facebook’s director of platform enforcement and litigation, in a Facebook blog post about the lawsuit.

But some argue that Facebook and other tech companies need to be doing more to protect users’ data as a first line of defense, although their means to do so against malicious actors using third-party apps is somewhat limited, said director of the Stanford Internet Observatory and former Facebook security executive Alex Stamos. Facebook could revoke access for third-party developer apps at large, but that would be a drastic move that might come with other privacy trade-offs, Stamos said.

“For me, the end result of all of these cases is the need for a federal privacy law — because effectively the privacy laws are being enforced by tech companies, and the laws to do this are not for that purpose,” Stamos told Recode. If the US had privacy laws, then individuals could go after companies that misuse their data more directly and effectively, Stamos said.

Facebook’s lawsuit against OneAudience raises questions about who is ultimately responsible for protecting our privacy — and it shows that there’s still a long battle ahead about how to do protect user privacy effectively.