Facebook Says Some Users' Private Photos Were Accidentally Shared With Developers In September, a Facebook "bug" allowed developers to access images people shared with friends on Facebook Stories — or images users had not even posted. Up to 6.8 million users may have been affected.
NPR logo Facebook Says Some Users' Private Photos Were Accidentally Shared With Developers

Facebook Says Some Users' Private Photos Were Accidentally Shared With Developers

Facebook employees talk to visitors at a one-day Facebook pop-up kiosk in Bryant Park in New York City on Thursday. The company was fielding questions about its data-sharing practices and teaching users how to understand its new privacy controls. The next day, Facebook announced that a "bug" that had inappropriately shared users' private data — this time, their photos. Timothy A. Clary/AFP/Getty Images hide caption

toggle caption
Timothy A. Clary/AFP/Getty Images

Facebook employees talk to visitors at a one-day Facebook pop-up kiosk in Bryant Park in New York City on Thursday. The company was fielding questions about its data-sharing practices and teaching users how to understand its new privacy controls. The next day, Facebook announced that a "bug" that had inappropriately shared users' private data — this time, their photos.

Timothy A. Clary/AFP/Getty Images

For nearly two weeks in September, developers who created apps for Facebook were able to access user photos that they should never have been allowed to see, the social media company announced Friday.

Up to 6.8 million users may have been affected, Facebook says.

The "bug" affects users who gave permission to a third-party app to access their Facebook photos. Normally, that would only include photos that someone actually posted to their timeline.

But between Sept. 13 and Sept. 25, other photos were available, as well: Photos that a user posted to Marketplace, Facebook's platform for selling or buying goods. Photos posted to Stories, the platform for sharing images that disappear after 24 hours.

Even photos that were never actually posted on Facebook at all — if a user had started to post a photo, then changed their minds, that picture also could be shared with developers.

It didn't matter what privacy settings a user had placed on their images or posts.

"We're sorry this happened and we're instructing developers to delete the photos," Facebook says.

Facebook users can learn whether their photos were involved in the bug by visiting a page on Facebook's help site.

It's not clear when Facebook discovered the breach, or how it was repaired.

Facebook has been under close scrutiny for how it handles — or mishandles — the massive quantity of user data it has accumulated.

This fall, Facebook announced that a security breach affected millions of its users and exposed their personal data, including information such as location and recent searches, to malicious actors.

And earlier this year, the Cambridge Analytica scandal revealed that millions of people had their data harvested without their consent, information that was then used to build profiles for political campaign purposes.