(Credit: 3D Vector/Shutterstock)

If you've been following Facebook in the news this year, you know that 2018 has been a particularly challenging year for the company, as it continues to face scrutiny over its user data management practices. And along the way, the social network has suffered from several security incidents.

Today, Facebook disclosed another personal data breach, one that it says may have affected the photos of up to 6.8 million members during a brief window in September.

In the statement, Facebook engineering director Tomer Bar said, "When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post."

SEE: Facebook reportedly cutting news show funding while growing its 'Watch' video platform

This last part has been of particular concern among privacy advocates, because the implication is that Facebook was sharing photos with app developers even if the user didn't finish publishing their pics on the social network. The company has said in the past that incomplete uploads are retained on purpose, in case the user wants to finish the process later.

Facebook says that "Early next week, we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users." According to Facebook, up to 1,500 apps may have had access to these incomplete photo uploads.

Tomer Bar adds, "The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos."

FOLLOW Download.com on Twitter for all the latest app news.

As the "Washington Post" points out, the European Union now legally requires that tech companies notify it of a security breach within 72 hours. This stricter rule is part of the EU's General Data Protection Regulation, or GDPR, which it began enforcing in May 2018. Since this specific Facebook security issue emerged in September and was apparently not mentioned to the EU until now, the company may face regulatory fines as a result of its delayed notification.

However, the issue Facebook experienced in September may not clearly qualify as something that it would be required to report to the EU, because there isn't clear evidence that the issue was actually exploited by a third party as a full-fledged security breach. As a result, the company may be able to draw a line in the sand between this and its more complicated relationship with Cambridge Analytica. We'll see how things shake out.


  • Facebook disclosed a security bug today that it says may have affected up to 6.8 million users. Unfinished photo uploads could have been viewed by up to 1,500 apps.
  • However, without evidence that the security bug became an actual security breach that was taken advantage of by a third party, it's not clear what Facebook's requirements are for reporting this event to regulators.
  • Facebook would be required to notify the European Union of a security breach within 72 hours, and the photo bug occured in September.

Read more

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.