For nearly two weeks in September, developers who created apps for Facebook were able to access user photos that they should never have been allowed to see, the social media company announced Friday.
Up to 6.8 million users may have been affected, Facebook says.
The "bug" affects users who gave permission to a third-party app to access their Facebook photos. Normally, that would only include photos that someone actually posted to their timeline.
But between Sept. 13 and Sept. 25, other photos were available, as well: Photos that a user posted to Marketplace, Facebook's platform for selling or buying goods. Photos posted to Stories, the platform for sharing images that disappear after 24 hours.
Even photos that were never actually posted on Facebook at all — if a user had started to post a photo, then changed their minds, that picture also could be shared with developers.
It didn't matter what privacy settings a user had placed on their images or posts.
"We're sorry this happened and we're instructing developers to delete the photos," Facebook says.
Facebook users can learn whether their photos were involved in the bug by visiting a page on Facebook's help site.
It's not clear when Facebook discovered the breach, or how it was repaired.
Facebook has been under close scrutiny for how it handles — or mishandles — the massive quantity of user data it has accumulated.
This fall, Facebook announced that a security breach affected millions of its users and exposed their personal data, including information such as location and recent searches, to malicious actors.
And earlier this year, the Cambridge Analytica scandal revealed that millions of people had their data harvested without their consent, information that was then used to build profiles for political campaign purposes.