Facebook revealed today that it discovered a software bug that exposed the unpublished photos of up to 6.8 million users.
The bug was in the photo API and affected users who have granted permissions to third-party apps to access their photos.
For 12 days, between September 13th and 25th of this year, some of those apps may have had a much broader range of access than the users or Facebook had granted. Instead of only being able to “see” photos that have been publicly shared on a user’s timeline, those apps could see even photos that were uploaded to Facebook but not yet published.
“For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post,” Facebook explains.
The apps also had access to photos posted in Facebook Stories and in the Facebook Marketplace.
Facebook currently believes the bug affected up to 6.8 million users and 1,500 third-party apps built by 876 developers. If you may have been affected, Facebook will present you with a notification in its app along with a list of apps that may have had incorrect access to your photos.
The company is also working with app developers to figure out which users might have been impacted by the bug and to delete any photos that may have been obtained.
“We’re sorry this happened,” Facebook says.