New Facebook data leak allowed apps broader access to 6.8 million users’ photos

It looks like the year couldn’t end without yet another Facebook scandal. This time around the company has come clean about discovering a bug in its photo API that allowed apps to access unposted photos from 6.8 million accounts.

The bug affected people who used Facebook Login and granted permission to third-party apps to access their photos. The issue has been fixed but because of the bug some apps may have had access to “a broader set of photos” than intended, for a period of 12 days between September 13 and September 25.

The bug gave 876 developers of up to 1,500 apps access to photos of 6.8 million users. Normally these can only see the photos that people share on their timeline, but in the aforementioned period they were also able to access other pictures, such as those shared on Marketplace or Facebook Stories, as well as photos uploaded to Facebook but not posted on an account’s timeline.

The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos. So it’s not as bad as apps seeing your images without your consent, but it does mean that apps may have seen more pictures than they should have – or than you knew they would.

Facebook says it’s sorry this happened and next week it will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted. The company will work with those developers to delete the photos. Additionally, if your account was affected by this bug you will be notified via an alert on Facebook, which will direct you to a Help Center link where you’ll be able to see if you’ve used any of these apps.

The social network also recommends that you log into any app with which you’ve shared your photos to check which images it has access to.