Facebook disclosed Friday that the company had in September allowed third-party applications to improperly access photos from up to 6.8 million users.
The company said the bug affected as many as 1500 apps built by 876 developers, and exposed photos for 12 days between 13 September and 25 September. Facebook said it planned to work with the app developers to delete photos from impacted users.
"We're sorry this happened," Tomer Bar, Facebook's engineering director, wrote in a blog post last week. "Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug."
Facebook typically restricts developer access to photos that people have shared on the timeline, the blog post said. But the bug ended up giving developers access to photos shared on Marketplace and Facebook Stories.
In addition, the bug also exposed photos that people had uploaded to Facebook but never actually posted.
Impacted users will be notified via a Facebook alert, the company said. The notification will direct them to the company's help center to see if they've used any apps that were affected by the bug. Facebook also recommends that people log into any apps with which they have shared their Facebook photos to ensure that don't have access to unauthorized images.
This is just the latest security misstep for Facebook, which in September reported that attackers had exploited a vulnerability in the company's code to potentially take over nearly 50 million people's accounts. The vulnerability allowed threat actors to steal Facebook access tokens, which they could use to take over people's accounts.