ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Facebook data leak exposes users' private photos


Facebook photo leak


Facebook announced in a blog post last week that a Photo API bug caused up to 6.8 million users’ unposted photos to be leaked to third-party app developers. Yes, you read that right, unposted photos. 

The photos were leaked to approximately 1,500 third-party apps, unintentionally giving 876 developers access to users’ photos that hadn’t been uploaded to their timelines. The leak left the photos exposed to developers for a total of 12 days, from September 13th to September 25th.  At this time there is no indication that the photos affected by the bug were exposed to the wider public.

This is the latest in a series of alarming digital security blunders committed by the tech giant. Problems started in March with the highly publicized Cambridge Analytica fiasco, and then a bug that changed 14 million users’ private data settings to public in June, followed by the September hack of 30 million user accounts, and finally, this latest Photo API bug. Facebook has been falling short on user privacy all year.

These stories have had even hardcore Facebook fans considering dumping the social networking site for good. Those not ready to press the delete button are keeping a close eye on their privacy settings, not logging on as often, or deleting the app from their phones. A survey conducted by the Pew Research Center in September found that nearly three-quarters of respondents had done at least one of the three. This trend will no doubt increase if Facebook continues to stumble on matters of privacy and loses the public's trust. 

In the blog post notifying the Developer Ecosystem of the Photo API bug, Facebook explained, "When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post,” going on to say that "The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.”

Facebook indicated that the issue has been resolved, adding that "[this] week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”

The company is also notifying users impacted by the breach directly, via an alert that directs them to the Help Center. There they can check and see if they have used any of the apps affected by the bug. Although it is reassuring that the company is working with developers and trying to make this right, the predictable PR response of "we’re sorry this happened and we’re taking steps to ensure it doesn’t happen again” sounds hollow when you consider that major data leaks at Facebook are now a regular occurrence. In fact, for trust in the company to be re-built they need to stop occurring altogether. 

With large-scale data breaches happening more often, it is critical for anyone using the internet to take the necessary steps to protect their private data. One of the best ways to secure your data online is by using a VPN (Virtual Private Network). The best VPN providers offer easy-to-use applications that encrypt all of your online communications and can help prevent your private information from ending up in the wrong hands.

Written by: Attila Tomaschek

Attila is a Hungarian-American currently living in Budapest. Being in the VPN game for over 5 years, along with his acute understanding of the digital privacy space enables him to share his expertise with ProPrivacy readers. Attila has been featured as a privacy expert in press outlets such as Security Week, Silicon Angle, Fox News, Reader’s Digest, The Washington Examiner, Techopedia, Disruptor Daily, DZone, and more. He has also contributed bylines for several online publications like SC Magazine UK, Legal Reader, ITProPortal, BetaNews, and Verdict.


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service