Facebook has discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. For 12 days between September 13 to September 25, 2018, the bug allowed third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not.
Third-party apps could get access to the pictures photos in the “stories”, on the Marketplace website, as well as to the photos uploaded by users to Facebook not for sharing. Up to 1,500 apps, from 876 developers, potentially had access to private pics. Photos shared in Messenger conversations weren’t affected.
Users affected by the photo API bug will receive a notification with a link to the list of apps that have access to their photos. The company also will get in touch with developers of the apps for removing private users’ photos.
“We’re sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users,” the company’s press release said.