Facebook recently announced that they have discovered a photo API bug that may have exposed a broad set of user photos to third-party apps for 12 days between September 13 to September 25, 2018.
Facebook explains that when someone gives permission for an app to access their photos on Facebook, they usually only grant the app access to photos people share on their timeline. The bug, however, potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories, and also affected photos uploaded to Facebook but chose not to post. Facebook stores a copy of that photo for three days so the person has it when they come back to the app to complete their post.
Facebook has already fixed the issue but believes that it may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.
As usual, Facebook is sorry and will rollout tools for app developers that will allow them to determine which people using their app might be impacted by this bug. Facebook will also work with those developers to delete the photos from impacted users.
Affected users, on the other hand, will receive an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.