Another Facebook data breach has been revealed that allowed app developers access to photos users uploaded to Facebook but had never even shared.
Facebook admitted the breach in a blog post on Friday, saying that they discovered “a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos.”
“The bug also impacted photos that people uploaded to Facebook but chose not to post,” engineering director Tomer Bar wrote in a message to developers.
“For example, if someone uploads a photo to Facebook but doesn’t finish posting it — maybe because they’ve lost reception or walked into a meeting — we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” he wrote.
“Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers.”
— Dr. Courtney Radsch, PhD (@courtneyr) December 14, 2018
The breach lasted for 12 days, from Sept. 13 to Sept. 25. Facebook said users who were impacted will be notified but also recommends logging into any Facebook apps and checking which photos the apps have access to.
Facebook has provided information about the breach to the European Union’s privacy watchdog the Office Of The Data Protection Commissioner, which is investigating the incident, TechCrunch reported.
The Irish Data Protection Commission investigation will take place under strict European privacy laws adopted in May as part of the General Data Protection Regulation, according to AFP.
“The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018,” head of communications Graham Doyle said.
“With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”
Europe’s privacy rules require breaches to be reported within 72 hours of their discovery. Although Facebook said it discovered the breach on Sept. 25, it did not notify anyone until Nov. 22. However, Facebook said in a statement that it abided by the rules, CNBC reported.
“We notified the IDPC as soon as we established it was considered a reportable breach under GDPR. We had to investigate in order to make that conclusion. And once we did, we let our regulator know within the 72 (hour) timeframe,” Facebook said in a statement.
Sept. 25, the day this breach was discovered, was also the date that Facebook announced a massive security breach that impacted up to 50 million users.
In its reporting on the breach, The New York Times said this latest breach could become part of a wider discussion “about whether Facebook violated a consent decree with the Federal Trade Commission in 2011.”
That agreement required Facebook to actively protect users’ privacy and the security of their data.
David C. Vladeck, a former director of the FTC’s bureau of consumer protection, said that depending upon the circumstances, the breach could violate the FTC agreement.
“If Facebook can’t control access by third-party apps, they are going to be in constant trouble with the Federal Trade Commission — and the public at some point is just going to revolt,” Vladeck said. “This is just not acceptable.”
Truth and Accuracy
We are committed to truth and accuracy in all of our journalism. Read our editorial standards.