Facebook announced Friday that a bug had exposed the private photos of 6.8 million users without their permission.
The bug enabled third-party app developers to access photos that Facebook users had uploaded but not yet shared, the company said. Images shared over Facebook Stories were also affected.
The breach happened over 12 days in September and involved 1,500 apps created by 876 developers.
“We’re sorry this happened,” said Facebook engineering director Tomer Bar in a blog post. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Bar added that the company will notify people whose photos may have been breached via an alert on Facebook.
Asked by CNN why the company waited so long to inform users, a Facebook spokesperson said, “We have been investigating the issue since it was discovered to try and understand its impact, so that we could ensure we are contacting the right developers and people affected by the bug. It then took us some time to build a meaningful way to notify people, and get translations done.”
Facebook has had a hell of a year. In January, journalists uncovered the Cambridge Analytica scandal — a Republican-linked company formerly led by Steve Bannon had accessed the private information of 87 million people for political use, without their consent. CEO Mark Zuckerberg and COO Sheryl Sandberg were compelled to testify before Congress about that, along with Russian interference in the 2016 election via the platform. A recent New York Times report alleged that the company dragged its feet when the Russian troll problem was discovered, then attempted to deflect blame and discredit its critics in response.
