Facebook discovered yet another privacy hole in its service. This time there was a flaw in the platform that let apps access people's photos that should not have been available.
On Friday, Facebook disclosed a "bug" in its photos API—the platform for developers to create apps that tap into people's photos on the site. The bug existed from September 13 to September 25, and during that time hundreds of apps that use the photos API were able to see people's photos that were never posted publicly to Facebook.
The social network said in a blog post on Friday that up to 6.8 million people were left exposed by the security lapse, which would have made photos they never posted publicly visible to the app developers. A person would only be affected if at one point they gave an app permission to access their photos for a service. Apps for dating and photo sharing are typically the kinds of services that request access to photos, and Facebook said there were 1,500 apps from 876 developers affected.
Facebook has not uncovered any "misuse" by developers, a Facebook spokeswoman said by e-mail.
"We're sorry this happened," Facebook said in the blog post. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."
The bug meant that photos that people only partially uploaded to Facebook or uploaded but never shared publicly, they would have been accessible to developers.
Facebook has been dealing with a number of security concerns all year, combatting inauthentic accounts run by bad actors, data abuse and its worst hack in its history. In September, Facebook reported that hackers exploited a vulnerability in its code that exposed personal data on up to 30 million people.
In June, Facebook found a "bug" that surreptitiously switched privacy settings to the default "public" option for 14 million people. That meant people who thought they fine-tuned their privacy to only share with the people they chose might have accidentally set posts to share with everyone.
Privacy failures have become a possibly major liability for tech companies, because of the EU's General Data Protection Regulation, which took effect in May. The new law sets penalties as high as 4 percent of a company's annual revenue from the prior year. Facebook made $40 billion in 2017, and 4 percent would be $1.6 billion.
Brian Wieser, analyst with Pivotal Research, says it's too early to tell how big a problem this privacy issue could be for Facebook.
"In context of all of the other problems Facebook has, this seems relatively minor, at least so far," Wieser says. "We already have a lot of evidence to reinforce the idea that Facebook is sloppy, prioritizing growth at expense of other considerations."
EU regulators have said they are investigating Facebook's compliance with GDPR. It's unclear how much of a financial hit the company would take, if any, until EU regulators rule on the matter, Wieser says.
Facebook is not alone in worrying about the repercussions of GDPR. Google has revealed at least two security holes in Google Plus, the social media layer it built into its search product. In October, Google reported a bug that exposed data on more than 50 million people to developers, and now Google Plus is slated for obsolescence in April.
As for advertisers, they have not shown signs of penalizing Facebook yet for any problems with platform or disagreements over management. However, marketers have been more vocal this year about claiming they would hold platforms to higher standards of accountability.
Lou Paskalis, svp of consumer engagement and media investment at Bank of America, blasted Facebook for carelessness. On Friday, Paskalis tweeted: "Once again, @facebook has not been thoughtful about ensuring its platform is truly safe for its users. Good fundamental controls and governance to ensure user and advertiser safety are not just good hygiene, they are mandatory table stakes for platforms!"