Facebook logo in black and white

Facebook, on Friday, revealed that a software bug might have unintentionally given app developers access to the private photos of about 6.8 million users, potentially exposing untold numbers of pictures users never thought would be public.

The news is just the latest setback for the social media giant, whose privacy practices have faced intense scrutiny since the Cambridge Analytica scandal broke earlier this year.

“We're sorry this happened and we're instructing developers to delete the photos,” Facebook said in a help web page set up to assist potential affected users. 

In a blog post to developers about the issue, the company said that the bug would have affected people who used Facebook to log in to third-party apps and gave those apps permission to access their photos.

According to the company, for 12 days starting Sept. 13, the bug gave those third-party apps access to photos that users may not have authorized for sharing.

More on Facebook and Privacy

When a user gives an app permission to access photos, the app is supposed to get access only to the photos shared on the user's Facebook timeline. But, in this case, the company says the apps could have also gotten access to other photos, such as those shared on Facebook’s Marketplace, which lets users buy and sell things, or in Facebook Stories, which are posts that are normally visible for only 24 hours.

The bug also affected photos that people uploaded but never actually posted. In total, Facebook says it thinks the bug may have affected up to 1,500 apps built by 876 developers.

A spokeswoman from Facebook tells CR that the company discovered and fixed the bug on Sept. 25.

Though the issue isn't as harmful to consumers as Facebook’s other recent privacy-related problems, Katie McInnis, policy counsel at Consumer Reports, questioned why it took so long for the social network to notify users.

“They clearly knew about this in September, why are they just telling people now?” asks McInnis.

As she says, the news comes just a day after Facebook hosted a marketing event in NYC where it passed out hot chocolate and offered users help with their privacy settings.

“It’s just another bad privacy story after a year of mishaps,” she says.

What You Can Do About It

Facebook says it will roll out new tools next week to help developers determine which of their users might be affected by the bug, then work with those users to delete the private photos.

In addition, the company will issue a Facebook alert directing users who may have been impacted by the issue to an online help center that will show them whether any apps they've used are affected by the bug. In the meantime, Facebook recommends that users log into any apps they’ve shared their Facebook photos with and review the pictures those apps have access to.

“What I really think people should do is consider what they’re sharing with Facebook in light of everything that’s happened over the past year,” McInnis says.

Though it won’t get your photos back from apps that shouldn’t have them, it never hurts to do a privacy check on your Facebook account as well.

But it's worth noting that there's no quick and easy way to delete your photos in bulk. You'll have to pick them off one by one, which, for many people, could prove to be a time-consuming activity.

And if you’re really aggravated by all of this, you can always delete your Facebook account—and all the related data, including your photos, will be deleted from your account. (It can take a few weeks for your data to officially be deleted.)