Skip to main content

Facebook's latest app data bug exposed the private photos of 6.8m users

The data privacy scandals just keep coming for Facebook: the social network has revealed a flaw in its code that could have exposed the private photos of up to 6.8 million users. The security hole has now been patched, but was open for 12 days.

According to Facebook, the bug worked like this: if affected users granted apps access to their timeline photos, those apps could then get at pictures they weren't supposed to be able to see, including images from Facebook Stories and Facebook Marketplace. Even worse, they could see images uploaded to Facebook and not yet posted.

That's right – Facebook keeps copies of pictures you upload to the app and then don't get around to posting... just in case you want to come back and finish off the post. These images are kept for three days before being removed, Facebook says.

Cleaning up the mess

Some 1,500 third-party apps were inadvertently granted a higher level of access than they really should have had. Facebook is notifying the developers of the apps in question, but to what extent they accessed or used photos they shouldn't have seen isn't clear.

"We're sorry this happened," writes Facebook's Tomer Bar. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."

The bug was live in September before being fixed, and Facebook could be in trouble with EU regulators for waiting so long to report it. If you're one of the users that might have been affected, you should see an alert the next time you log in.