Facebook bug exposed private photos of 6.8 million users

Up to 1,500 apps built by 876 developers could have had accessed the private photos of 6.8 million users.
Written by Catalin Cimpanu, Contributor
Image: Facebook

Facebook announced today another security incident affecting millions of its customers. This time, the company said that a bug in one of its APIs exposed the private photos of nearly 6.8 million users.

Facebook blamed this new leak on a Photo API bug that was present in its backend code between September 13 to September 25, 2018.

Also: Nicolas Cage: 'I hate social media' CNET

The company said that during that interval the bug allowed Facebook third-party apps to access more than just the user's public photos. Tomer Bar, a Facebook developer, provided the following explanation about the Photo API bug leak:

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post.

Bar said that a Facebook investigation revealed that 1,500 apps built by 876 developers might have been able to access the non-public photos of up to 6.8 million users.

It is unclear if any of these apps abused the bug to actually access and download users' private and non-posted photos.

Facebook said it would start notifying affected users. These include users who installed any of the 1,500 apps and gave the app permission to access their photos. The notification, displayed above, will list what apps users had installed, allowing users to uninstall them if they wished to. Users can also visit a dedicated web page to found out if they were affected.

Earlier this year, Facebook announced that an unknown threat actor had used a combination of three bugs to download personal data from over 50 million users, a number it later downgraded to 30 million.

Also: Here's how quickly Facebook rebuilt its profile on me CNET

Facebook is also the third major tech company to announce a major bug in one of its APIs. Twitter announced a similar API issue in September, and Google announced two API issues, one in October (500,000 users affected) and another one in December (52.5 million users affected).

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

Editorial standards