In a news release Friday, Facebook said their team found a photo API bug that exposed millions of users pictures to third party apps for 12 days in September.
The bug could have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The bug affects those who used Facebook Login and granted permission to third-party apps to access their photos.
Facebook says they have fixed the issue but, because of the bug, some third-party apps may have had access to a broader set of photos than usual between September 13 to September 25 this year.
They say the bug may have given developers access to other photos including those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post, they said.
“For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post,” the release said.
The company apologized saying that they intend to find out who was affected and notify them with an alert on Facebook.
The new Facebook help page will warn users whether their account was compromised or not. This new page will require for you to be logged in to the social networking site. For users who weren’t affected during the breach, you will see the text, “Your Facebook account has not been affected by this issue and the apps you use did not have access to your other photos.”
For those affected by the bug, the page will list all the apps where your photos were exposed to.
Facebook recommends that people log into any apps with which they have shared their Facebook photos to check which photos they have access to.
You can find more information about how Facebook plans to address the breach here.