In this case, Facebook says photos that users might have started uploading but were not ready to share might have been exposed. The company says 6.8 million users could have been affected.
“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos,” Facebook’s Tomer Bar explained in a blog post. “We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018.”
How it’s supposed to work
Normally when a Facebook user gives permission for an app to access their Facebook photos, the platform only gives access to the photos people have shared on their timeline. But in this case, Bar says the bug in the system could have given developers access to photographs shared on Marketplace and Facebook Stories, and other images that people uploaded but had not yet posted.
“For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” Bar wrote.
This week Facebook says it will offer tools for app developers that will help them determine which people using their app might have been affected. The company will also work with developers to help them delete photos that were not meant to be shared.
Affected users will be notified
Users whose pictures might have accidentally been shared will also get a message from Facebook informing them of the issue. The notification will direct them to a Help Center link where they'll be able to see if they've used any apps that were affected by the bug.
Ireland’s Data Protection Commission, which is tasked with enforcing the European Union’s (EU) General Data Protection Regulation (GDPR), notes that this is just the latest breach notification it has received from the social media giant since the GDPR went into effect in May.
“With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR,” the agency said in a statement.