Facebook on Friday revealed that a major software bug may have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn't post publicly.
The mishap, which occurred over a 12-day period in September, adds to Facebook's mounting privacy headaches after a series of incidents earlier this year in which it failed to fully safeguard the personal data of its users.
In general, Facebook allows apps by third-party developers to obtain users' permission and access photos shared on their timeline. Because of the bug, though, roughly 1,500 apps could access "a broader set of photos than usual," Facebook explained in a blog post.
That includes photos that a user may have started to post, but abandoned before actually publishing, because Facebook keeps a copy of the draft in the event a user might want to finish uploading it later.
The software bug also may have allowed developers to access photos they weren't supposed to on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours.
Facebook's latest revelation quick drew sharp rebukes from privacy advocates. "It's stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo," said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. "It's like a provider sending draft emails."
In response, Facebook apologized to users on Friday. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug," the company said. "We will be working with those developers to delete the photos from impacted users."
Facebook did not detail the exact apps that may have obtained these photos, or what they may have done with them. A spokeswoman did not immediately respond to a request seeking comment.
The photo mishap could embolden those who believe Facebook and its peers in Silicon Valley should be regulated for the data they collect about their users. It could also result in fines and other penalties for Facebook, which is already under federal investigation for a series of earlier privacy breaches. That probe, initiated by the Federal Trade Commission, is the result of Facebook's entanglement with Cambridge Analytica, a political consultancy that improperly accessed data on 87 million users.
Rotenberg said the new incident offered "more evidence" that Facebook has run afoul of the 2011 agreement it brokered with the FTC that required the tech giant to improve its privacy practices - violations that could result in sky-high fines.
Several of Facebook’s recent privacy lapses have involved third-party apps. In the case of Cambridge Analytica, the firm previously harnessed profile information on Facebook users in 2015 through a quiz app developed by a researcher. In response to that scandal, Facebook initiated a broad review of the games and other third-party apps made available to its users on the site. In May, it suspended about 200 of them, declining at the time to describe exactly why.