When Facebook announced its latest privacy-related blunder last Friday, one detail alarmed users: third-party apps could have accessed photos that were never even posted.
"The bug also impacted photos that people uploaded to Facebook but chose not to post," Tomer Bar, an engineering director at the company, wrote in a blog post for developers. "For example, if someone uploads a photo to Facebook but doesn't finish posting it — maybe because they've lost reception or walked into a meeting — we store a copy of that photo so the person has it when they come back to the app to complete their post."
A Facebook spokeswoman told ABC news the photos are stored in drafts "to make it easier for someone to come back and post something if they have been interrupted."
On Friday, Facebook updated the blog post to say that the copy of the photos is stored "for three days."
That news drew a mixed reception from privacy advocates, who say that the social media behemoth needs stricter standards on the access given to third-party developers.
The glitch "exposed pictures that were uploaded, but chosen not to actually share," Christine Bannan, the Electronic Privacy Information Center's counsel, told ABC News. "Those are pictures someone actively decided not to show other people and Facebook is still storing that and accidentally giving it to third-party developers."
Third-party apps that require a Facebook account to log in, such as Tinder, Grindr or Bumble, did not respond to a request for comment about whether the Facebook breach involved their access to user photos.
"It’s another example of Facebook not taking privacy seriously enough," Bannan added. ”Facebook just wants as much data as possible and just isn't careful with it. This is happening because they are having developers have access to their platform without having standards and safeguards to what developers have access to."
"We're sorry this happened," Bar wrote.
Some platforms start uploading photos once a user starts drafting a post so that when the user hits "Post," the picture appears to have been loaded immediately.
But what about other social media platforms?
"Twitter does allow upload and storage of media prior to tweeting, but it is only viewable by the account owner," a Twitter spokesperson told ABC News in an emailed statement.
With regard to Snapchat, when a user starts loading a photo on the "Send To" screen, the platform starts encrypting and uploading that content, according to a company spokeswoman.
"We do this to improve delivery speed. If the Snapchatter decides not to send the Snap, decryption keys are never created and no one, including Snap, can view the content of the uploaded Snap. Our systems are designed to delete the encrypted, unsent Snaps within 24 hours, but deletion may happen much sooner," a Snap spokeswoman told ABC News.
Foursquare, which now focuses on enterprise (business) customers, said photos are not stored on the platform unless they are actually posted.
"We don't collect anything," a Foursquare spokesperson told ABC News. "Nothing happens unless you press that publish button."