Facebook exposed private photos of about 6.8 million users to the apps accidentally, the company said today. These apps were authorized to see a limited set of users’ photos, but a bug allowed them to see pictures they weren’t granted access to. These included photos from people’s stories as well as photos that people uploaded but never posted.
The incident happened between September 12th and September 25th. Facebook told TechCrunch that it found the breach on the 25th it isn’t clear why the company waited until now to disclose it.
Affected users will receive a notification soon alerting them about their photos that may have been exposed. Facebook also says it will work with developers to delete copies of photos they weren’t supposed to access. In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.
According to Facebook the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps. All of the impacted users had logged into a third party app using their Facebook accounts and granted them some degree of access to view their photos.
Facebook engineering director Tomer Bar wrote “We’re sorry this happened”. The disclosure comes exactly one day after Facebook opened a pop-up installation in New York to show people how “you can manage your privacy” on the site.