Facebook said that the bug authorised third-party developers to access photos that people may have uploaded but not shared publicly.
“We’re sorry this happened,” Facebook’s engineering director, Tomer Bar, said. “We will also notify the people potentially impacted by this bug via an alert on Facebook,” he added.
In the blog post, Tomer Bar said that the company had discovered the bug on September 25th of this year, but user’s private photos were exposed for a total of 12 days.
“Because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13th to September 25th, 2018,” he explained.
“Currently, we believe this may have affected up to 6.8m users and up to 1,500 apps built by 876 developers.”
Facebook said they will be releasing a tool for app developers that will enable them to find out which users were affected by the bug.
“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Irish DPC investigation into Facebook
The Irish data protection commission confirmed that it has launched a new investigation into Facebook because of the high volume of breaches over the year.
“The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018,” a spokesperson said.
With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”
The news comes as Facebook continues to receive scrutiny from lawmakers in the US, Europe, and the UK following their involvement in the Cambridge Data Analytical scandal.