The bug found from the photo API of Facebook gave app developers access to photos not meant for public consumption from up to 6.8 million users.
It allowed app developers to scrape the photos of the user who granted access via Facebook login to its photo library. However, because of the bug the app developer could access not only the public photos but also photos that were uploaded to Facebook but weren't published.
The bug was fixed 12 days after it was revealed in September. According to Facebook a total of 876 app developers (up to 1 500 apps) had access to illicit private photos.
Facebook is working with app developers to make sure all the wrongly accessed photos will be deleted. If you are among the ones affected, you'll be notified via Facebook.
You can also check the third-party apps you have given photo access to via Facebook login to see if they have photos that shouldn't be public.
You can find more information about the bug at Facebook Help Center.
Written by: Matti Vähäkainu @ 16 Dec 2018 11:35