A Facebook bug exposed photos from up to 6.8 million users using third-party apps, the company disclosed Friday. The exposed photos include those that users never finished sharing to the site, Facebook said.
The disclosure is one of several privacy scandals the company has grappled with over the past year. In March, reports from the New York Times and the Guardian shed light on how Cambridge Analytica used data on Facebook users to influence the 2016 U.S. presidential election. In September, it announced a security breach that affected up to 50 million users and sent its stock price plunging more than 2.5 percent.
Facebook said that photos that had yet to be shared could have been accessed by apps that users gave permission to access their Facebook photos. Facebook said that photos that hadn’t yet been shared on its platform could be accessed because the platform stores a copy of photos that users do not finish sharing on their profile after attempting to upload.
Facebook said the bug in its photo API affected a 12 day window between Sept. 13 and Sept. 25 and gave access to up to 1,500 apps built by 876 developers. Facebook said the bug did not affect photos that were shared in Messenger conversations and that Facebook became aware of the bug and fixed it on Sept. 25.
Under the European Union’s new General Data Protection Regulation (GDPR), companies must notify appropriate authorities of any data breach within 72 hours of finding out about it. While Facebook said it took them some time to alert the public while it investigated the impact of the bug, the company said it complied with GDPR reporting standards by reporting the bug to the Irish Data Protection Commission on Nov. 22 once it was able to conclude it was “a reportable breach under GDPR.”
“We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 [hour] timeframe,” a Facebook spokesperson said in a statement.
The IDPC confirmed it began reviewing Facebook’s compliance with GDPR this week. In a statement, Graham Doyle, the head of communications at the IDPC said, “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”
Facebook said it will alert users who may have been affected by the breach through a notice on the site that will show them how to see if apps they use were affected. The company also advises users log into apps they believe they granted access to Facebook photos to see which photos they have accessed.
“We’re sorry this happened,” Facebook said in the post on its developers blog written by Tomer Bar, an engineering director at the company. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”