’s privacy nightmare is far from over: The social networking giant revealed Wednesday that an app called myPersonality had siphoned personal data from 4 million users off Facebook, and then shared it with researchers and third-party companies.

“Today we banned myPersonality — an app that was mainly active prior to 2012 — from Facebook for failing to agree to our request to audit and because it’s clear that they shared information with researchers as well as companies with only limited protections in place,” wrote Facebook’s VP of product partnerships Ime Archibong in a blog post published late Wednesday afternoon by the company.

The revelation may seem like a deja vu to some of the affected users: Earlier this year, Facebook was in the headlines for another personality quiz, which stole data from up to 87 million Facebook users on behalf of Cambridge Analytica, a data consultancy that was used by Donald Trump’s 2016 election campaign.

Cambridge Analytica was able to gather that much data because of Facebook’s architecture for third-party apps, which until a few years ago made it easy for app developers to download data not only from users of an app, but also all of their friends.

It seems like the myPersonality quiz didn’t make use of this option. “Given we currently have no evidence that myPersonality accessed any friends’ information, we will not be notifying these people’s Facebook friends,” Archibong wrote, while cautioning that the company was still investigating the incident: “Should that change, we will notify them.”

Facebook began looking into apps that had access to large amounts of personal information back in March. The company announced in May that it was suspending 200 of those apps as part of that probe, with myPersonality apparently being one of the apps deactivated at the time.

On Wednesday, Facebook said that it had investigated thousands of apps since March, and deactivated a total of 400 of those apps. The company also reiterated recent changes to its data sharing policies, which include cutting off data access for any app that users haven’t accessed for 90 days.

This new data leak revelation isn’t the only crisis deja vu moment for Facebook this week: The company disclosed Tuesday afternoon that it had identified and deactivated multiple Iranian and Russian disinformation campaigns on its site.