Facebook disclosed another software bug on Friday that may have exposed some users’ private photos to app developers without their permission. The bug, which was live for 12 days in September, may have impacted as many as 6.8 million users.
Facebook says the bug impacted hundreds of apps that let users create accounts and sign in using their Facebook login information. The software bug gave hundreds of developers access to a broader range of Facebook photos than are usually allowed.
“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” Facebook wrote in a blog post. “In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories.”
That included photos from draft posts — essentially, photos that were uploaded to Facebook but never actually shared. It did not impact photos shared in Messenger, and we’ve asked Facebook if it impacted photos shared to private groups or albums.
Facebook has had an embarrassingly terrible year when it comes to user privacy. Not including Cambridge Analytica, which exposed the company’s weak privacy policies from years past, Facebook has had a number of other privacy mishaps, many of them in the past six months.
There was a bug that accidentally “unblocked” people that users had blocked; there was a bug that changed users’ share settings so that they were sharing information publicly without realizing it; hackers then stole the private information for almost 30 million users right before the midterm elections.
This new photo-sharing bug is yet another black eye for the company, which is dealing with the (totally fair) perception that it doesn’t take user privacy seriously. Why would anyone trust Facebook with their personal data? We asked CEO Mark Zuckerberg that question back in September when Facebook exposed the security hack:
“As I’ve said in a number of things that I’ve written and spoken about, including election security, security is an arms race. We’re continuing to improve our defenses, and I think that this also underscores that there are just constant attacks from people who are trying to take over accounts or steal information from people in our community. I think that the teams that we have at Facebook are very focused on this and there are a lot of talented people who are working on this and I think doing good work, but this is going to be an ongoing effort and we’re going to need to keep on focusing on this over time.”
It’s unclear if Facebook might be punished by regulators for this most recent blunder. That’s because Facebook told TechCrunch that it discovered the bug on Sept. 25 — almost three months ago. New European data laws require companies to report data breaches to authorities within 72 hours, and to the user “without undue delay.” They can be fined for violations.
Facebook reported the issue to the Office of the Data Protection Commissioner on Nov. 22, “as soon as we established it was considered a reportable breach under GDPR,” a spokesperson told Recode. “We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour timeframe.”
Users were obviously not told at the same time. “We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug,” a company spokesperson said over email. “It then took us some time to build a meaningful way to notify people, and get translations done.”
Facebook, meanwhile, will begin to alert users who were impacted. Here’s what the alert will look like.
This article originally appeared on Recode.net.