It’s a Friday, people, which means there’s more bad news from Facebook.
Facebook disclosed a data breach on Friday that affected 6.8 million users. The trouble once again came from the connectivity of third party apps. Facebook says it is “sorry this happened.”
From September 13-25 of this year, developers had access to Facebook users’ photos that they never had permission to see. Typically, apps should only be able to access photos in users’ timelines. But while the bug was active, apps had access to photos in people’s stories and photos they’d uploaded to Marketplace.
Perhaps most troubling, apps could also access photos that users may have uploaded to Facebook, but chose to never post. This means that Facebook actually stores photos that you uploaded and then thought, “hmm, better not,” for an unspecified amount of time. Here’s how Facebook explains it:
The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.
This photo breach may seem like small potatoes in comparison to the 50 million person attack in September in which hackers exploited a vulnerability to steal the personal information of 29 million people. Giving access to photos you never meant to share is troubling, but perhaps not as damning as getting your contact information and a host of other information pinched by potential identity thieves.
The timing is what’s tricky here. Facebook disclosed the 50-million user data breach on September 25 — the same day it became aware of the photo bug. Under the GDPR, Facebook has 72 hours to notify users of data compromises. So why did Facebook wait nearly three months to tell us about this joyous invasion of our privacy?
Facebook plans to notify affected users with an “alert.” That will send them to the Help Center where they can see which apps may have had access to their “other photos.” There is no information about revoking access — once the unshared photo cat is out of the bag, it’s apparently out.
Here’s a mock up of the alert:
Mashable has reached out to Facebook to learn more about the timing of the incident, and whether there is any connection between the photo bug and the personal information breach. We’re also asking about how long Facebook stores the photos you’ve chosen not to share, and whether there’s a way to access and delete them. We’ll update this story when and if we hear more.
*Information contained on this page is provided by public rss feeds. Manager Mint Media makes no warranties or representations in connection therewith.