Facebook has been caught up in another data breach involving their developer API, this time affecting up to 5.6 million users.
TechCrunch reported on Saturday that the bug allowed apps to pull photos from users timelines, stories, marketplace listings, and most worryingly, photos that had been uploaded to Facebook but never posted.
The bug was present for users who had allowed apps to access their photos, and is believed to cover 1,500 different applications by 876 developers.
In a post on the Facebook for Developers blog, Facebook confirmed that the bug was present for 12 days from September 13th to September 25th. It is still unclear as to why it took nearly three months before Facebook revealed the breach and informed affected users.
Curiously, Facebook discovered this bug on the same day as the recent security breach affecting 50 million users that allowed hackers access to users' information.
Once again, Facebook has offered little more than a “sorry this has happened” explanation to affected Facebook users.
The privacy failure continues to impact confidence that Facebook can assure users of responsible stewardship of their private data. Troublingly, most of Facebook’s security violations to date haven’t been caused by hackers, but have stemmed from issues within Facebook itself.
The Cambridge Analytica breach which allowed users' data to be harvested by third parties for political purposes was caused by a similar issue to this latest breach. In November a bug allowed websites to read users’ likes & interests, while in May a bug changed people’s status update composer privacy settings.
Facebook says they will work with application developers to delete photos they shouldn’t have had access to, and has begun notifying people it believes may have been impacted by the bug via a Facebook notification that will direct them to the Help Center. The notification will allow affected users to view any apps that may have had errant access to their photos.
Facebook says the European Union’s privacy watchdog and the Data Protection Commissioner (IDPC) have been notified, with the IDPC has confirming they have begun a statutory inquiry into the breach.