The losing streak for Facebook doesn’t stop: There was a new data leak. The Photo API error may affect people who have given third-party apps permission to access their photos. According to Facebook, the problem has been fixed. However, due to this bug, “some” third-party applications “had access to a larger number of photos than usual for 12 days between September 13 and September 25, 2018.

When Facebook users give an app permission to access photos, Facebook claims that it usually only allows access to photos shared by users on its timeline. In this case, the bug may have allowed developers to access other photos:

  • like e.g. the stories shared on the Marketplace or Facebook
  • and piquantly also photos that were uploaded to Facebook but not published .

Facebook explained:

For example, if someone uploads a photo to Facebook but doesn’t finish publishing it – maybe because they lost reception or went to a meeting – we store a copy of that photo for three days so the person has it when they return to the app to complete their post.

Currently, we expect this to have affected up to 6.8 million users and up to 1,500 apps from 876 developers. The only applications affected by this bug were those that Facebook approved for access to the Photo API and authorized people to access their photos.

In mid-December, Facebook will introduce tools for app developers to determine which people using their app may be affected by this bug. Facebook will “work” with these developers to delete photos of affected users.

Affected Facebook users will be notified about a notification on Facebook. The notification will take them to a Help Center link where they can see if they have used applications affected by the bug.

Facebook encourages users to log in to any apps they have shared their Facebook photos with to see which photos they have access to.


This Help page from Facebook shows if you are affected.