Facebook blamed this new leak on a Photo API bug that was present in its backend code between September 13 to September 25, 2018. The next day, Facebook announced that a "bug" that had inappropriately shared users' private data - this time, their photos.
The bug is the latest in a string of privacy problems the tech giant disclosed this year, including the massive Cambridge Analytica data scandal in April and a data breach of almost 30 million accounts in October.
With the help of Facebook, Cambridge Analytica improperly harvested the personal data of 50 million users to target political advertisements.
"We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug", a Facebook spokesperson told CNN.
The software bug also may have allowed developers to access photos they weren't supposed to on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours. It also recommends, "people log into any apps with which they have shared their Facebook photos to check which photos they have access to". The fact that the company even stores these photos is nothing short of a privacy invasion. During that time, the company says, third-party apps may have had access to more users' photos than they were meant to, including pics that may have been uploaded to Facebook but never posted.
It said: "With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook's compliance with the relevant provisions of the GDPR".
USA top social media network Facebook admitted that about 6.8 million users may risk their private photos being exposed to third-party apps.
In the blog post, Facebook indicated it will notify people who were impacted. Guy Rosen, Facebook's vice president of product management, stated in the blog post revealing the bug: "The vulnerability was on Facebook, but these access tokens enabled someone to use the account as if they were the account-holder themselves".
That includes images that someone might started posting, but decided against before finishing the task, as Facebook keeps a copy of the initial attempt in case the user wants to upload it later. This is the reason why the company chose to publish an alert to all users that used one of the 1,500 apps about the potential impact on their privacy.