Facebook's latest app data bug exposed the private photos of 6.8m users

The data privacy scandals just keep coming for Facebook: the social network has revealed a flaw in its code that could have exposed the private photos of up to 6.8 million users. The security hole has now been patched, but was open for 12 days.

According to Facebook, the bug worked like this: if affected users granted apps access to their timeline photos, those apps could then get at pictures they weren't supposed to be able to see, including images from Facebook Stories and Facebook Marketplace. Even worse, they could see images uploaded to Facebook and not yet posted.

That's right – Facebook keeps copies of pictures you upload to the app and then don't get around to posting... just in case you want to come back and finish off the post. These images are kept for three days before being removed, Facebook says.

Cleaning up the mess

Some 1,500 third-party apps were inadvertently granted a higher level of access than they really should have had. Facebook is notifying the developers of the apps in question, but to what extent they accessed or used photos they shouldn't have seen isn't clear.

"We're sorry this happened," writes Facebook's Tomer Bar. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."

The bug was live in September before being fixed, and Facebook could be in trouble with EU regulators for waiting so long to report it. If you're one of the users that might have been affected, you should see an alert the next time you log in.

David Nield
Freelance Contributor

Dave is a freelance tech journalist who has been writing about gadgets, apps and the web for more than two decades. Based out of Stockport, England, on TechRadar you'll find him covering news, features and reviews, particularly for phones, tablets and wearables. Working to ensure our breaking news coverage is the best in the business over weekends, David also has bylines at Gizmodo, T3, PopSci and a few other places besides, as well as being many years editing the likes of PC Explorer and The Hardware Handbook.

Latest in Facebook
 Facebook social media app logo on log-in, sign-up registration page
How to delete all your Facebook posts
The Meta logo on a smartphone in front of the Facebook logo a little bit blurred in the background
Meta's new 'Link History' feature for the Facebook app isn't as protective of your data as it claims
The Meta Quest 3 in action
How much more data can Meta collect? Probably a lot, thanks to the Meta Quest 3 and Ray-Ban smart glasses
A laptop screen showing a Facebook Groups page
Scam alert: how to spot hoax posts in your Facebook Groups
Facebook
Facebook Messenger is losing a useful messaging feature soon
mother watching her daughter's activity online
Meta's new Facebook parental controls show social media still doesn't like responsibility
Latest in News
Teams
Microsoft Teams is finally adding a tiny but crucial feature I honestly can't believe it never had
Apple Watch Ultra 2 move data
Apple is reportedly planning a huge future Apple Watch upgrade to turn it into an AI device with onboard cameras
Apple watch pair with iphone
The Apple Watch SE 3 is apparently in 'serious jeopardy', and the news isn't much better for the Ultra 3 or Series 11
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)