Facebook Inc. said pictures belonging to up to 6.8 million users may have been exposed by a software glitch that granted app developers access to the photos, the latest in a series of privacy lapses at the social-media giant.
Up to 1,500 apps may have had improper access to photos that weren’t yet shared by Facebook users, including in draft posts, from Sept. 13 to Sept. 25, the company said Friday in a post on its developers’ blog.
A company spokeswoman said Facebook found and fixed the bug on Sept. 25 after an internal team made the discovery. The impact of the breach isn’t yet clear, including whether any developers accessed the photos during the window when they were improperly made available.
Facebook’s privacy safeguards have become a mounting problem for the company. Earlier this week, the Menlo Park, Calif. company opened a 24-hour pop-up shop in New York City designed to educate holiday shoppers and tourists about its privacy controls and the steps individuals can take to safeguard their data.
Consumer backlash has contributed to slowing revenue growth for Facebook, and a more than 25% decline in the stock price over the past five months. The sagging stock price has also resulted in flagging morale at the company. Facebook shares dropped less than 1% on Friday, to $144.06.
Facebook’s disclosure Friday also comes as it faces a range of regulatory inquiries into how it safeguards user privacy, treats its competitors and controls access to its platform.
Earlier this year, Facebook said the data related to as many as 87 million people may have been improperly shared with Cambridge Analytica, a political analytics firm. At the time, Chief Executive Mark Zuckerberg said: “We have a responsibility to protect your information. If we can’t, we don’t deserve it.”
In September, Facebook reported that hackers gained access to nearly 50 million accounts in what amounts to the largest-ever security breach at the social network.
The latest incident also exposes Facebook to fresh scrutiny from European regulators, who earlier this year enacted legislation requiring internet companies like Facebook to inform them about breaches within 72 hours.
Facebook said it informed Ireland’s Data Protection Commission, which is the company’s lead privacy regulator in Europe, about the incident on Nov. 22. The company said it spent roughly two months after learning of the glitch trying to determine the scope of the incident and whether it was required to disclose it. The company said it believes it is in compliance with European law.
In a statement, Graham Doyle, head of communications for the Data Protection Commission, said the regulator started a “statutory inquiry” this week to see if Facebook complied.
Facebook then waited several weeks to announce the breach publicly because it needed to build a notification page and translate it into multiple languages, the spokeswoman said. Facebook automatically translates posts presented in the news feed in more than 60 languages. “We’re sorry this happened,” wrote Tomer Bar, engineering director at Facebook, in the blog post.
Early next week, Facebook will roll out tools for third-party app developers to determine which people might have been affected by the application program interface bug that led to the potential exposure of the photos. Facebook said it would work with the developers to delete affected users’ photos.
Any developer that doesn’t certify within two months that it deleted any photos it improperly obtained will lose access to the Facebook platform, the company said.
The company, which will notify people potentially affected through an alert on Facebook, also recommended users log into any apps with Facebook authorization to check or update photo-sharing permissions.