Facebook’s photo API bug exposes private photos of 6.8 Million users to app developers

The year 2018 has been quite a controversial one for Mark Zuckerberg-led social media giant Facebook. The company found itself in hot waters several times this year for reasons like the Cambridge Analytica scandal which involved misuse of user data of as many as 50 Million Facebook users, as well as deleting Zuckerberg’s messages from recipient’s inboxes. In September, Facebook once again received a lot of flak after a security breach affected almost 50 Million accounts. Well now, we are looking at yet another data breach which has exposed private photos of millions of Facebook users.


Facebook has announced that it has discovered a photo API bug which exposed private photos of 6.8 Million users to third-party app developers. By private, we are referring to those photos that were shared in Stories, as well as the ones that remained un-posted for different reasons like losing Internet connection.

While Facebook says it has fixed the bug, it goes on to say that third-party app developers may have had access to these photos between September 13 to September 25, 2018. However, not all Facebook users have to worry, as only those users may have been affected who logged in to third-party apps using their Facebook credentials and gave permission to the apps to access their photos.

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” said Facebook in a blog post.

Next week, Facebook will roll out tools for app developers that will help them determine which of their users were impacted by this bug. The social media giant will also work with app developers to delete the photos from impacted users.

Furthermore, Facebook will also be notifying users who may have been impacted by this bug. Facebook users who have logged in to third-party apps with their Facebook credentials can click here to see if they are using any apps that were affected by this bug. And if they are, it’s better to delete those private photos for good.

At this point, it’s safe to say that either Facebook is incapable of protecting its user data, or it’s just not serious enough about it. People will ultimately lose trust in Facebook if it keeps on screwing up like this.