World’s largest social media site Facebook sued a marketing company named oneAudience, that it accused of “improperly” accessing users’ personal information without their authorization.

Facebook filed a federal lawsuit against the New Jersey-based firm which allegedly hired developers to install malicious software development kit, or SDK, in their apps to exploit the “login with Facebook” feature.

Jessica Romero, Facebook’s director of platform enforcement and litigation, said that the marketing firm also paid apps to collect data on other Internet sites like Google and Twitter.

“Security researchers first flagged oneAudience’s behavior to us as part of our data abuse bounty program… Facebook, and other affected companies, then took enforcement measures against oneAudience,” she explained.

Late last year, Facebook and Twitter already informed their users that a certain oneAudience has been involved in illegally harvesting personal data.

Facebook then sent a legal notification to oneAudience for it to stop its activities and it has been obliged to comply with the site’s audit requirements but it declined.

Twitter, for its part, advised users to double-check the apps that are linked to their accounts and immediately revoke access to the unused or unrecognizable ones.

During that time, OneAudience defended that they had no intentions to harvest data and the SDK had already been shut down.

The company now remains silent about the lawsuit and has not yet responded to any media request for comment.

Meanwhile, experts say that the filing shows that choosing to use Facebook, Twitter or Google credentials to log in to new sites instead of creating new accounts poses privacy threats.

Alex Stamos, director of the Stanford Internet Observatory and former Facebook security executive, suggested that social media sites need to amplify their measures to protect users’ data as the first line of defense.

He also added that it would be truly helpful if the government could impose federal privacy protection regulations.

“For me, the end result of all of these cases is the need for a federal privacy law…If the US had privacy laws, then individuals could go after companies that misuse their data more directly and effectively,” Stamos said.