In yet another user data breach, Facebook has revealed that a bug may have exposed the photos of up to 6.8 million users during a 12-day period in September. Third-party apps may have had access to photos which users had not given access permission to. “When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” explained Facebook in a blog post.

In all, 6.8 million users and 1500 apps developed by 876 developers may have been affected by the bug. Only those apps with access to the photos API and those whom users gave authorized access to were affected.

The bug caused photos shared on Stories and Marketplace to be shared with developers. Even photographs which were uploaded to Facebook, but were not posted, may have been included in the breach. When a user uploads a photo, but does not complete posting it, Facebook stores a copy of that photo for three days “so the person has it when they come back to the app to complete their post.”

Facebook has not clarified whether Stories’ expired photos or current ones were exposed. It is also unclear if photos from Messenger Stories were affected by the bug. The company has begun notifying affected users and urged them to check which apps they have shared their Facebook photos with. Affected users can also check the help center to see if they have used any apps affected by this bug.

Bugs, hackers and privacy on Facebook

Facebook’s nonchalance with user privacy blew up with Cambridge Analytica and has not seen good days since then.

All these happened recently:

  • Hackers managed to compromise and publish private messages from at least 81,000 Facebook accounts, and sell them online
  • A bug randomly unblocked people that users had blocked, about 800,000 users’ posts and photographs became public to the blocked users
  • A glitch changed the privacy setting of 14 million users and made private posts and updated them to public

Internal Facebook documents from an ongoing case between app developer Six4Three and the company reveal that Facebook was providing favourable user data access, including access to user’s friends, to companies like Airbnb and Netflix between 2012-2015. Facebook even discussed charging developers for access to user data, but eventually did not discuss this.

Our Facebook and data breaches coverage.