An example of the notification sent out by Facebook to users who are potentially affected by the bug. <br> Image source: Facebook
Facebook suffered another data breach, no thanks to a Photo API bug which affected up to 6.5 million users and up to 1,500 apps built by 876 developers.
In a blog post, Facebook described how the Photo API bug gave unauthorized access to the third party apps for 12 days between 13 September and 25 September. The bug allowed developers to access other photos such as those shared on Marktplace or Facebook Stories. It also exposed photos that users uploaded to Facebook, but chose not to post.
When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.
While the bug has been fixed, it's disturbing Facebook chose not to disclose the data breach on the same day it shared that 29 million Facebook accounts were exposed to hackers. Why did it take three months for Facebook to reveal this incident?
Starting from next week, Facebook will be rolling out tools for app developers to allow them to determine which people using their apps might be impacted by the bug. It will work with these developers to delete the photos from affected users. Potentially affected users will also be notified via an alert on Facebook.
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.