Facebook announced this morning a bug in its Photo API system that potentially exposed photos to third-party app developers—even if you didn’t post the picture. The bug existed from September 13th thru the 25th.

The nuts and bolts are pretty simple here. Facebook offers APIs to app developers to allow them to build additional tools using Facebook as a foundation. One such tool involves the Photos API, which lets developers request access to users’ photos to provide a variety of utilities. When users grant access to their photos, however, it’s generally restricted to timeline photos.

This newly-announced Photo bug, however, allowed up to 1,500 apps to access¬†all user photos, including ones shared to Stories or in the Marketplace. What’s more, is that it also allowed these developers to see photos that had been uploaded but never posted—drafts, in other words. If you upload a picture but don’t follow through with posting, it’s automatically saved as a draft (unless you specifically delete it).

Facebook claims the bug affected “up to 6.8 million users and up to 1,500 apps built by 876 developers.” Those are some pretty big numbers, and while Facebook has fixed the issue, it’s alarming that it took¬†three months for them to disclose it to its users. This is just another point in a long list of issues Facebook has been dealing with over the last several months.

Facebook said it would notify users who were potentially impacted by this bug with a notification on its network, so keep an eye out for that.

via Facebook Developers