META Meta Platforms Inc

By Aisha Al-Muslim and Deepa Seetharaman 

Facebook Inc. said unshared pictures of up to 6.8 million users may have been exposed by a software issue that granted app developers access to the photos, the latest in a series of privacy snafus at the social-media company.

Up to 1,500 apps may have had improper access to photos, including draft posts, from Sept. 13 to Sept. 25, Facebook said Friday in a post on its developers' blog.

A company spokeswoman said Facebook found and fixed the bug on Sept. 25 after an internal team made the discovery.

Facebook informed Ireland's Data Protection Commission, which is the company's lead privacy regulator in Europe, about the incident on Nov. 22, after the company determined it needed to report the breach to the authorities.

Facebook is required under European law to inform regulators about breaches within 72 hours after the company determines a breach took place.

In a statement, Graham Doyle, head of communications for the Data Protection Commission, said the regulator started a "statutory inquiry" this week to see if Facebook complied with European law.

Facebook said it believes it complied.

The company waited several weeks to announce the breach publicly because it needed to build a notification page and translate it into multiple languages, the spokeswoman said. Facebook automatically translates posts presented in the news feed in more than 60 languages.

"We're sorry this happened," wrote Tomer Bar, engineering director at Facebook, in the blog post.

Early next week, Facebook will roll out tools for third-party app developers to determine which people might have been affected by the application program interface bug. Facebook said it would work with the developers to delete affected users' photos.

The company, which will notify people potentially impacted through an alert on Facebook, also recommended users log into any apps with Facebook authorization to check or update photo-sharing permissions.

"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline," Mr. Bar wrote. "In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post."

The company's disclosure Friday comes as it faces a range of regulatory inquiries into how it safeguards user privacy, treats its competitors and controls access to its platform.

Earlier this year, Facebook said the data related to as many as 87 million people may have been improperly shared with Cambridge Analytica, a political analytics firm. At the time, Chief Executive Mark Zuckerberg said: "We have a responsibility to protect your information. If we can't, we don't deserve it."

In September, Facebook reported that hackers gained access to nearly 50 million accounts in what amounts to the largest-ever security breach at the social network. On Thursday, Facebook opened a 24-hour pop-up shop in Manhattan's Bryant Park dedicated to privacy efforts.

Write to Aisha Al-Muslim at aisha.al-muslim@wsj.com and Deepa Seetharaman at Deepa.Seetharaman@wsj.com

(END) Dow Jones Newswires

December 14, 2018 14:13 ET (19:13 GMT)

Copyright (c) 2018 Dow Jones & Company, Inc.