Facebook on Friday revealed that a major software bug may have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn’t post publicly.
The mishap, which occurred over a 12-day period in September, adds to Facebook’s mounting privacy headaches after a series of incidents earlier this year in which it failed to fully safeguard the personal data of its users.
It already has prompted European regulators to investigate — and brought fresh calls for the company to be fined.
In general, Facebook allows apps by third-party developers to obtain users’ permission and access photos shared on their timeline.
Because of the bug, though, roughly 1,500 apps could access “a broader set of photos than usual,” Facebook explained in a blog post. That includes photos that a user may have started to post, but abandoned before actually publishing, because Facebook keeps a copy of the draft in the event a user might want to finish uploading it later.
The software bug also may have allowed developers to access photos they weren’t supposed to on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours.
Facebook’s latest revelation quick drew sharp rebukes from privacy advocates.
“It’s stunning that Facebook has the ability to send user photos to third parties when the user has not fully uploaded the photo,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. “It’s like a provider sending draft emails.”
In response, Facebook apologized to users on Friday.