From September 13-25 of this year, developers had access to Facebook users photos that they had no permission to see. Typically, apps should only be able to access photos in users’ timelines. But while the bug was active, apps had access to photos in people’s stories, timelines, and photos they had uploaded to Facebook Marketplace.
Perhaps most troubling, apps could also access photos that users may have uploaded to Facebook, but chose to never post. This means that Facebook actually stores photos that you upload, then decide not to post, for an unspecified amount of time. Here’s how Facebook explains it:
The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.
This photo breach may seem like small potatoes in comparison to the 50 million person attack in September in which hackers stole personal information of 29 million people. Giving access to photos you never meant to share is troubling, but perhaps not as damning as getting your contact information and a host of other information.
The timing is what’s tricky here. Facebook disclosed the 50-million user data breach on September 25 — the same day it became aware of the photo bug. Under the GDPR, Facebook has 72 hours to notify users of data compromises. So why did Facebook wait nearly three months to tell us about this invasion of our privacy?
Anyway, Facebook says its planning to notify affected users with an “alert.” That will send them to the “Help Center” where they can see which apps may have had access to their “other photos and remove the apps if they want.