A bug on Facebook gave app developers unauthorized access to the photos of as many as 6.8 million users.
The bug, which affected Facebook’s photo API, was active from September 13 through September 25, when it was discovered by Facebook and fixed. September 25 was coincidentally the same day the company announced a massive security breach that affected 30 million users.
Facebook informed the EU’s Office of the Data Protection Commissioner weeks later on November 22. The delay in notifying authorities and customers puts Facebook at risk of a fine under rules of the GDPR, which requires data breach disclosure within a 72 hour period.
Photos that were potentially exposed include any uploaded by users to the site, including images that hadn’t been shared, or that were partially uploaded but not posted.
“We’re sorry this happened,” said Facebook in a statement to developers. “[W]e will also notify the people potentially impacted by this bug via an alert on Facebook. The notification will direct them to a Help Center link where they’ll be able to see if they’ve used any apps that were affected by the bug.”
Read Facebook’s announcement here.