A day after hosting a pop-up store in New York City’s Bryant Park to explain how privacy is the “foundation of the company,” Facebook disclosed that a security flaw potentially exposed the public and private photos of as many as 6.8 million users to developers.
On Friday, the Menlo Park, California–based company said in a blog post that it discovered a bug in late September that gave third-party developers the ability to access users’ photos, including those that had been uploaded to Facebook’s servers but not publicly shared on any of its services. The security flaw, which exposed photos for 12 days between Sept. 13 and Sept. 25, affected up to 1,500 apps from 876 developers, according to Facebook.
“We're sorry this happened,” Facebook said in the post. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
Facebook has not yet responded to questions about whether company representatives staffing its privacy pop-ups yesterday were aware of this security flaw as they were meeting with reporters and customers to discuss privacy.
While Facebook typically only gives developers access to photos people share on their timelines, this bug granted apps the ability to photos shared on Marketplace, its peer-to-peer buy and sell service, and Stories, its ephemeral video- and photo-sharing tool. It also exposed photos that a user hadn’t even publicly posted.
“For example, if someone uploads a photo to Facebook but doesn't finish posting it — maybe because they've lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post,” the company explained. It also clarified that photos sent via its Messenger app were not affected.
The company noted to BuzzFeed News that it was only disclosing the issue now, more than two months after discovery, because it was taking the time to understand the bug’s impact. Facebook also added that it believes it did not run afoul of European GDPR disclosure, which requires that companies affected by a security breach notify officials within 72 hours, because it needed to take the necessary time to investigate if this was a breach that required such disclosure.
The company said it would be notifying affected users directly. Users can also visit Facebook’s help center to see if they’ve used any apps that were affected by the bug.
Friday’s disclosure is the latest user data mishap in a year full of them. While the company has still been weathering the fallout of the Cambridge Analytica scandal, it recently disclosed a bug that exposed 30 million users' personal information in late September.
It also comes 24 hours after Facebook launched a series of pop-up stores around the world to show its commitment to user privacy. “We care deeply, as deep as a company can care about privacy,” vice president of marketing solutions Carolyn Everson said in an interview with Digiday on Thursday.
“We have a responsibility to protect your information,” Facebook CEO Mark Zuckerberg wrote in a full-page newspaper ad in March following the Cambridge Analytica disclosure. “If we can’t, we don’t deserve it."