Facebook Inc said a software bug gave outside developers broader access to the photos of millions of users, another privacy misstep by the world’s largest social network.
As many as 6.8 million users and up to 1,500 apps were involved, according to a blog the company posted on Friday. The bug has been fixed and Facebook is alerting people potentially affected.
“We’re sorry this happened,” Facebook said. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Usually when a Facebook user gives an app permission to access their photos, the company only grants access to images shared on their timeline. The bug, which spanned the 12 days between Sept. 13 and Sept. 25, potentially gave developers access to other images, such as photos uploaded to the site but not yet posted, the Menlo Park, California-based firm said. A Facebook representative said the bug was global, and it does not yet know which developers got more photos than they should have.
This is the latest in a series of incidents that have eroded user trust, including a major breach in September. The Irish Data Protection Commission said it has launched a new probe investigating Facebook after receiving a number of breach notifications from the company this year, beyond the one disclosed on Friday.
“With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance” with the Europe’s General Data Protection Regulation, said Graham Doyle, a spokesman at the Irish DPC, Facebook’s main privacy regulator.
That’s in addition to another probe of Facebook privacy that the regulator announced in September. GDPR kicked in across the European Union on May 25, and Ireland’s probes of Facebook comprise the first major privacy case under the new law.
A Facebook spokesperson said it took a while to determine if the latest breach was something the company was required to report.
“We notified the IDPC as soon as we established it was considered a reportable breach under GDPR,” the spokesperson said. “We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour time frame.”
The U.S. Federal Trade Commission is also looking into Facebook data breaches. A representative wouldn’t comment on whether the latest breach is included in the scrutiny.