Facebook has just revealed a Photo API bug gave app developers too much access to the photos of up to 5.6 million users. The bug allowed apps users had approved to pull their timeline photos to also receive their Facebook Stories, Marketplace photos, and most worryingly, photos they’d uploaded to Facebook but never shared. Facebook says the bug ran for 12 days from September 13th to September 25th.
Facebook provided merely a glib “We’re sorry this happened” in terms of an apology. It will provide tools next week for app developers to check if they were impacted and it will work with them to delete photos they shouldn’t have.
The privacy failure will further weaken confidence that Facebook is a responsible steward for our private data. It follows Facebook’s massive security breach that allowed hackers to scrape 30 million people’s information back in September. There was also November’s bug allowing websites to read users’ Likes, October’s bug that mistakenly deleted people’s Live videos, and May’s bug that changed people’s status update composer privacy settings.