The company discovered a photo API bug, which it believes might have affected those who used Facebook Login, and then granted permission to third-party apps to access their personal pictures.
“We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual,” Tomer Bar, engineering director, Facebook, admits in a new blog post.
The overexposure took place during the 12 days between September 13 and September 25.
When Facebook users give permission for apps to access their photos, it’s only supposed to include those that they’ve shared on their timeline. However, the bug in question potentially gave developers access to other photos, including those shared on Marketplace and Facebook Stories.
Critically, the bug also impacted photos that users had uploaded to Facebook, but chosen not to post.
As of Friday, Bar estimated the bug affected up to 6.8 million users, and up to 1,500 apps built by 876 developers.
Early next week, Bar’s team plans to roll out tools for app developers to help them determine which users were impacted. “We will be working with those developers to delete the photos from impacted users,” he said.
Of course, this isn’t the only security issue to impact Facebook users this year.
Since first being rocked by the Cambridge Analytica controversy in March, Facebook has suffered several other privacy mishaps.
In July, Facebook said a bug was to blame for temporarily unblocking some users that had been previously blocked. The company said that mess-up could have impacted as many as 800,000 users of Messenger and its flagship app.
In October, the company admitted that a hiccup led to the deletion of some users’ Live videos when they tried to post them to their Story and News Feed.