(Bloomberg) -- Facebook Inc said a software bug gave outside developers broader access to the photos of millions of users, another privacy misstep by the world’s largest social network.
As many as 6.8 million users and up to 1,500 apps were involved, according to a blog the company posted on Friday. The bug has been fixed and Facebook is alerting people potentially affected.
"We’re sorry this happened," Facebook said. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."
Usually when a Facebook user gives an app permission to access their photos, the company only grants access to images shared on their timeline. The bug, which spanned the 12 days between Sept. 13 and Sept. 25, potentially gave developers access to other images, such as photos uploaded to the site but not yet posted, the Menlo Park, California-based firm said.
This is the latest in a series of incidents that have eroded user trust, including a major breach in September. The Irish Data Protection Commission said it is investigating Facebook after receiving a number of breach notifications from the company this year.
"With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance" with the Europe’s General Data Protection Regulation, said Graham Doyle, a spokesman at the Irish DPC, Facebook’s main privacy regulator.
The GDPR kicked in across the European Union on May 25, and Ireland’s probe of Facebook is the first major privacy case under the new law. A Facebook spokesperson said it took the company a while to determine if this breach was something they were required to report.
“We notified the IDPC as soon as we established it was considered a reportable breach under GDPR," the spokesperson said. "We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72-hour time frame.”