Facebook has revealed that a Photo API bug has exposed the private pictures of 6.8 million users through third party apps over a 12 day-period, in yet another privacy breach.
Users who used Facebook Login and granted permission to third-party apps to access their photos were affected between September 13 to September 25, 2018.
The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone had uploaded a photo to Facebook but didn’t finish posting it - perhaps because they lost reception or walked into a meeting - Facebook would store a copy of that photo for three days so the person had it when they came back to the app to complete their post.
According to Tomer Bar, an engineering director at Facebook, this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.
The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.
He wrote in a blog post: "We're sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."