Up to 6.8 million people may have been affected by the latest bug discovered on Facebook. This time, the leak gave third-party apps access to users’ photos, Facebook said in a blog post.
The company fixed the issue, but outside developers had access to affected users’ photos that were uploaded to Marketplace or Facebook Stories between Sept. 13 and 25 this year. The bug also gave the apps, which normally just have access to photos shared on a user’s timeline, to photos that were uploaded, but not posted.
“We’re sorry this happened,” Tomer Bar, engineering director at Facebook, wrote in the post. The company will inform users who were potentially affected by the bug. You can do this yourself, by clicking on this link. Next week, the developers themselves will be able to check which of their apps’ users were affected. “We will be working with those developers to delete the photos from impacted users,” Bar wrote.
The company told Quartz the number of people affected is likely to be smaller, but they are informing anyone who used the 1,500 apps in question to be safe. It also said the bug was caused by a mistake in a code update for Facebook’s photo API, and that it did not affect photos shared on Messenger. It took more than two months to disclose the bug because the company wanted to make sure it understood its impact and to create a way to notify users about the problem.
The EU’s new privacy laws require that companies disclose breaches within 72 hours, and Facebook said it had to investigate the issue in order to determine whether the bug fell under those regulations. Once it did, it notified the data protection agency in Ireland, where the company has its European headquarters, the company said. Facebook wasn’t immediately available to explain when exactly it alerted authorities in Ireland.
Facebook’s announcement comes after a major hack in October exposed sensitive data of 30 million users. It also caps a year of a parade of scandals for the tech giant.