The company said that no private user data had been sold -- Facebook does not consider UIDs to be private even though they can be used to track individual users -- and it said that the UIDs transferred were not used to access private data.
"Facebook has never sold and will never sell user information," said Facebook engineer Mike Vernal in a blog post. "We also have zero tolerance for data brokers because they undermine the value that users have come to expect from Facebook."
Facebook does not have to sell user information since most Facebook users give their information away to Facebook developers when they choose to use Facebook applications.
Facebook did not name the data broker that had paid for UIDs, but Vernal's blog post said that the company had also reached an agreement with RapLeaf, "the data broker who came forward to work with us on this situation." As part of the agreement, RapLeaf will delete UIDs in its possession and refrain from future activities involving Facebook, directly or indirectly.
The acknowledgement comes following a Wall Street Journal investigation last month that found popular Facebook apps revealed UID numbers. UID numbers can be used to determine a Facebook user's name and possibly other information. The principal privacy risk is that UIDs can be used to associate a Facebook identity with actions outside of Facebook.
In response to that investigation, Facebook put forward a plan to enable the optional encryption of UID numbers. The company has published a technical outline and solicited feedback from developers. It maintains that the additional issue of information exposed through HTTP Referer headers must be addressed by a broad range of technology companies.
The company also said that it is tightening its policies about how UIDs can be used, stored, and transmitted.