Facebook said on Friday a software bug may have exposed the photos of nearly 7 million users without consent to as many as 1,500 third-party apps.
This includes photos that were never posted, the company said.
"Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos. We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018," the company said in a post on its developer blog.
Facebook said it found the bug on Sept. 25, the same day hackers had accessed digital keys, affecting 30 million users. The company had initially said the number of users affected was 50 million.
The timeline of the photo glitch, which the company said happened between Sept. 15 and Sept. 25, was similar to the September data breach.
The bug also impacted photos that people uploaded to Facebook but chose not to post.
"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it -- maybe because they've lost reception or walked into a meeting -- we store a copy of that photo so the person has it when they come back to the app to complete their post," the company said.
Meanwhile, European regulators confirmed Friday that they are investigating Facebook for violating its new privacy regulations. It is the first major test of the European Commission's new data protection rules, or the General Data Protection Regulation (GDPR).
"The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR," Graham Doyle, the Irish Data Protection Commission's head of communications, told ABC News in an emailed statement.
Facebook's European headquarters are in Dublin, so its lead European regulator is Ireland.
The social media giant also said the photo bug may have affected "up to 6.8 million users and up to 1,500 apps built by 876 developers," the statement said. "The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos."
Privacy advocates expressed concern about yet another incident in which app developers were able to access more user information than was authorized.
"The breach exposed pictures that were uploaded, but chosen not to actually share," Christine Bannan, the Electronic Privacy Information Center's counsel, told ABC News. "Those are pictures someone actively decided not to show other people and Facebook is still storing that and accidentally giving it to third-party developers.
"It’s another example of FB not taking privacy seriously enough," Bannan added. ”Facebook just wants as much data as possible and just isn't careful with it. This is happening because they are having developers have access to their platform without having standards and safeguards to what developers have access to."
Gennie Gebhart, a researcher with Electronic Frontier Foundation, was not as concerned about the unposted photos.
“This wasn’t super alarming to me. Let’s say I’m in Facebook and I upload a photo as a draft. If you save it as a draft, that’s OK. Obviously, that shouldn’t be shared, you have not given consent," she told ABC News. "The problem is that the bug that has allowed it to be shared more widely. That has been the problem Facebook has been dealing with all year.
"2018 has been the year of Facebook and other tech companies violating these privacy expectations, with nothing resembling informed consent," she added. "It is important to differentiate this from Cambridge Analytica, which wasn’t a bug. That was a platform behaving as it was intended. This is a different breed of privacy violation. This was an engineering mistake in the code. Of course, on the user end, those technicalities aren't important. This is just another huge Facebook privacy scandal.”
It is not clear yet which apps were affected. Dating apps Tinder, Grindr and Bumble did not immediately respond to requests for comment.
Users who were affected were notified by an alert on Facebook, the company said Friday. They also recommended users log into apps and check which photos they granted access to.
Facebook did not respond to emails asking for details on the timing of the speed with which the company informed regulators and for details on how the unposted photos were stored.