Facebook has revealed an API bug that may have exposed more photos than users intended to third-party developers.

Usually, Facebook’s photo API limits third-party access to images users have already shared to their public feed. As a result of the bug, however, the company said that photos uploaded to Marketplace, its Craigslist-style buy-and-sell service, and its Snapchat-like Facebook Stories may have been accessed by other apps.

Additionally, photos uploaded to Facebook as part of an intended new post that had not yet been physically posted to the public may have been unwittingly exposed.

The company said the bug likely affected up to 6.8 million people who used Facebook’s login system to authenticate themselves on any of around 1,500 apps from 876 developers. Moreover, Facebook said the bug was active between a 12-day period from September 13 to September 25, 2018.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos,” Facebook’s director of engineering, Tomer Bar, wrote in a blog post.

Scale

While the overall scale of the bug is small relative to Facebook’s 2 billion-strong user base, the news comes at a sensitive time for the company, which is still reeling from a slew of privacy and security issues. In addition to the widely publicized Cambridge Analytica scandal that exploded into the public’s consciousness in March, Facebook also revealed that it inadvertently set 14 million users’ privacy settings for status updates to public, and it later revealed another data breach affecting nearly 50 million accounts.

Facebook didn’t say when it discovered the latest bug, but Europe’s General Data Protection Regulation (GDPR) requires companies to report such data breaches to the appropriate European authorities within 72 hours of discovery — failure to do so can result in massive fines.*

The regulations state:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

The company added that it has now fixed the bug and that it will be notifying those who were potentially affected via an alert to visit a help center link. It also said that it would be working with developers to establish who was impacted and to delete any photos that the third parties didn’t have explicit permission to collect.

“We’re sorry this happened,” Bar added. “Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

 *Update: Facebook told VentureBeat that it found the bug on September 25, and that it notified the Irish Data Protection Commissioner (IDPC) as soon as it established that it was considered a reportable breach — this happened on November 22. The company didn’t elaborate on how it took nearly two months to decide that it was a reportable breach, beyond stating that it was investigating the bug.