Facebook did it again.
Adding to the social network’s ever-growing list of privacy controversies, Facebook says a bug may have exposed the photos of up to 6.8 million of its users during a 12-day period in September. During that time, the company says, third-party apps may have had access to more users’ photos than they were meant to, including pics that may have been uploaded to Facebook but never posted.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” Facebook Engineering Director Tomer Bar wrote in a blog post to developers on Friday. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post.”
Facebook told Gizmodo in an email that the incident resulted from an error in a code update to the photo API between September 13 and September 25, adding that it found and fixed the bug on September 25. Facebook did not yet comment on whether expired Facebook Stories photos were exposed, though it did specify that no photos shared in Messenger were affected. (We’ll update when they get back to us on the Stories thing.) In a note in its Help Center, the company advised users to log into apps with permission to view their Facebook photos to see which photos those apps had access to.
A Facebook spokesperson said it is contacting users who may have been affected by the bug. It is also reaching out to the 876 developers of 1,500 apps that may have had broader access to user photos to ask them to check for and delete any such images—a tried and true method that has gone over spectacularly for the company in the past.
Facebook said that despite learning of the bug in September, we are only just learning of this most recent incident because an investigation into who it affected on both the end user and developer side was ongoing. But regardless of when they divulged this charming bit of info, the company can’t keep from adding it to the pile of innumerable bugs and privacy issues that have come to light during its Year From Hell.
“We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug,” a spokesperson said in a statement by email. “It then took us some time to build a meaningful way to notify people, and get translations done.”