Uploaded a photo to Facebook but didn’t post it? It may have been shared with other apps anyway

(Facebook Image)

If you uploaded a photo to Facebook and decided not to post it, there’s still a good chance it was shared with third-party apps — at least if you uploaded it in September.

On Friday, Facebook disclosed that a bug in its photo API affected up to 6.8 million users in the nearly two weeks between Sept. 13 and Sept. 25 this year. If a user had given third-party apps permission to access photos, the bug potentially gave those apps access not just to photos posted to that user’s timeline, but also to images users uploaded but didn’t finish posting. It also may have affected photos posted to Facebook’s Marketplace or Facebook Stories.

Facebook says up to 1,500 apps, built by nearly 900 developers, were likely involved — but only apps that Facebook had already approved to have access to its photo API. The company says it’s now fixed the issue.

“We’re sorry this happened,” Facebook’s Tomer Bar wrote in a developer news blog post. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

Facebook’s photo access alert to affected users. (Facebook Image)

As to Facebook’s users themselves, the company will be providing an alert to those who might have been affected that directs them to a Help Center link. Facebook also recommends people check to see what photo permissions they’ve given third-party apps.

This is the latest data or privacy issue to affect Facebook. Earlier this year, it reported a data breach that gave hackers access to tens of millions of individuals’ Facebook accounts, some 30 million as of the company’s October estimate. That incident, too, had a tie to September, with the company saying it noticed an unusual spike of activity on Sept. 14 and determined it was an attack on Sept. 25.

Facebook has not said if the two incidents are somehow related, or if the photo API bug was discovered as a result of any investigation into the larger data breach.