Facebook accidentally exposed 6.8 million users’ private photos to developers
Facebook on Friday disclosed a data breach that may have exposed unposted photos of as many as 6.8 million users.
According to the company’s developer blog, a photo API bug accidentally gave hundreds of third-party apps unauthorized access to photos of as many as 6.8 million users during a 12 days period between September 13 and 25. It is believed that up to 1,500 apps built by 876 developers may have been affected by the bug.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” engineering director Tomer Bar said in a message to developers.
“In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”
Apparently, the bug inadvertently also gave third-party apps access to photos that were not shared on timelines, for example, if someone uploads a photo to Facebook but doesn’t finish posting it, Bar added.
“We store a copy of that photo so the person has it when they come back to the app to complete their post,” he said.
Bar added that potentially affected Facebook users will get a Facebook notification, which will direct them to a Help Center link where they will be able to see if they have used any apps that were affected by the bug.
“We’re sorry this happened,” Bar said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Bar also suggested that users should log into any apps with which they have shared their Facebook photos to find out if they have access to photos they shouldn’t.
Besides the Facebook photo API bug discovered in September, the social networking giant was also hit by another data breach the same month where data of some 30 million users were exposed to hackers as a result of a flaw in Facebook’s ‘View As’ feature.