A so-called bug may have exposed the photos of millions of Facebook users without their permission, the social media giant announced Friday.
How many people are impacted?
As many as 6.8 million Facebook users may be impacted by a bug affecting 1,500 apps built by 876 developers, according to a blog post from one of Facebook's directors.
Users' photos were exposed over a 12-day period in September, according to the post. Although users granted permission to the apps to access their photos, this would have included even pictures that were set to private. The post explains:
"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline," Bar wrote. "In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post."
CNN Business asked Facebook why it waited so long to make the announcement.
"We have been investigating the issue since it was discovered to try and understand its impact so that we could ensure we are contacting the right developers and people affected by the bug," a Facebook spokesperson told CNN. "It then took us some time to build a meaningful way to notify people, and get translations done."
In the blog post, Facebook indicated it will notify people who were impacted. The company continues to face scrutiny for how it handles information given to third-party application developers.
Earlier this year, Facebook faced backlash when it was revealed that Cambridge Analytica used an app to gather information on tens of millions of Americans.
Facebook faced a fine in the U.K. that was equal to about $630,000 U.S. dollars for two breaches of the Data Protection Act. The fine was the maximum amount possible, The Guardian reported. The Information Commissioner's Office decided that Facebook failed to safeguard its users' information and also was not transparent in how the data was harvested by others.