Facebook reveals bug affecting photos of up to 6.8 million users

Facebook said on Friday that up 6.8 million people may have been affected by a software bug exposing their photos to third-party app developers who did not have permission to view them.

Tomer Bar, Facebook’s engineering director, said in a blog post that the bug had been active for 12 days in September and has since been fixed.

“We're sorry this happened,” Bar wrote. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”


He added that the company would begin notifying affected users via alerts.

The latest vulnerability adds to the growing list of incidents threatening public trust in technology companies and prompting scrutiny from regulators around the world.

The bug revealed on Friday only involved users who had granted permission to certain apps to access their photos. Bar estimated that it affects 876 developers and about 1,500 of their apps.

When users grant access to their photos to third parties, it typically only applies to those posted on their timelines. The bug gave developers who had obtained that permission to access photos outside of that scope, including those posted on users' stories.

And in some cases, Barr wrote, app developers may have been able to access photos that weren't even posted but merely saved to Facebook in offline mode.

A Facebook spokesperson told The Hill the bug was discovered and fixed on Sept. 25. The company later notified Irish data protection authorities of the vulnerability on Nov. 22 after it had determined disclosure was necessary under the European General Data Protection Regulation (GDPR), the spokesperson said.

The spokesperson did not reveal why the bug wasn't revealed to the public until nearly a month after being disclosed to Irish officials. Reuters reported that the Irish Data Protection Commissioner was already opening an investigation into whether Facebook was complying with GDPR.

The company has been under intense scrutiny in Washington since news broke in March that Cambridge Analytica, a right-wing political consulting firm, had obtained data on millions of users without their knowledge.

And in October, Facebook revealed that hackers had stolen extensive personal information on 14 million people in what is likely the largest cyberattack the platform has ever suffered.

The events are likely to increase scrutiny on Facebook, which has been the target of angry lawmakers and is under investigation by the Federal Trade Commission (FTC) over its handling of the Cambridge Analytica scandal. Facebook faces the risk of massive fines if the FTC finds that it violated a 2011 consent agreement that it reached with the agency over previous privacy charges.

A spokesman for the FTC declined to comment.

—Updated at 3:54 p.m.