Science

Millions of Facebook users may have had their photos exposed due to privacy flaw

Facebook's privacy controls have broken down yet again, this time through a software flaw affecting nearly seven million users who had photos exposed to a much wider audience than intended.

Bug gave hundreds of apps unauthorized access to photos of nearly 7 million users

Facebook's privacy controls have broken down yet again, this time through a software flaw affecting nearly 7 million users who had photos exposed to a much wider audience than intended. (Luis Acosta/AFP/Getty Images)

Facebook's privacy controls have broken down yet again, this time through a software flaw affecting nearly seven million users who had photos exposed to a much wider audience than intended.

The bug disclosed Friday gave hundreds of apps unauthorized access to photos that could in theory include images that would embarrass some of the affected users. They also included photos people may have uploaded but hadn't yet posted, perhaps because they had changed their mind.

It's not yet known whether anyone actually saw the photos, but the revelation of the now-fixed problem served as another reminder of just how much data Facebook has on its 2.27 billion users, as well has how frequently these slip-ups are recurring.

The bug is the latest in a series of privacy lapses that continue to crop up, despite Facebook's repeated pledges to batten down its hatches and do a better job preventing unauthorized access to the pictures, thoughts and other personal information its users intend so share only with friends and family.

In general, when people grant permission for a third-party app to access their photos, they are sharing all the photos on their Facebook page, regardless of privacy settings meant to limit a photo to small circles such as family. The bug potentially gave developers access to even more photos, such as those shared on separate Marketplace and Facebook Stories features, as well as photos that weren't actually posted.

Facebook said the users' photos may have been exposed for 12 days in September. The company said the bug has been fixed.

Facebook CEO Mark Zuckerberg makes the keynote speech at F8, Facebook's developer conference, in San Jose, Calif., in May. Friday's bug is the latest in a series of privacy lapses that continue to crop up. (Marcio Jose Sanchez/Associated Press)

The company declined to say how many of the affected users are from Europe, where stricter privacy laws took effect in May and could subject companies to fines. Facebook said it has notified the Irish Data Protection Commission of the breach.

The problem comes in a year fraught with privacy scandals and other problems for the world's biggest social network.

Revelations that the data-mining firm Cambridge Analytica improperly accessed data from as many as 87 million users led to U.S. congressional hearings and changes in what sorts of data Facebook lets outside developers access. In June, a bug affecting privacy settings led some users to post publicly by default regardless of their previous settings. This bug affected as many as 14 million users over several days in May.

With each breakdown, Facebook risks losing credibility with both its audience and the advertisers whose spending generates most of the company's revenue.

"It's like they keep getting these chinks in the armour that is causing this trust deficit," said Michael Priem, CEO of Modern Impact, which places ads for a variety of major brands.

User base strong despite issues

Although Facebook doesn't appear to be losing a lot of users, Priem said some advertisers have been seeing data indicating that people are spending less time on the social network. That's raising concerns about whether the privacy breakdowns and problems with misinformation being spread on the services are taking a toll.

But it's difficult to know how much Facebook's recent wave of headaches has been affecting the service because its growth, particularly among younger people, had been slowing even before the problems began to crop up, said Nate Elliott, an analyst with the research firm Nineteen Insights.

Advertisers are unlikely to curtail their spending significantly as long as Facebook is able to maintain the current size of its audience, Elliott said. So far there has been little evidence a significant percentage of the users are worried enough about privacy to get off the service.

Watch how to protect your personal data on Facebook:

"Even if people don't trust Facebook, as long as the value that the service provides is worth more than the cost of the privacy violations, then that may be a trade-off most people are willing to make," Elliott said.

On Thursday, to counter the bad rap it's gotten around privacy, Facebook hosted a one-day "pop-up" to talk to users about their settings and whatever else may be on their mind. Chief privacy officer Erin Egan gave Facebook's work on privacy a "B" when asked by a reporter for a grade. By 2019, she said she hopes the improvements will result in an "A."

Privacy experts might call it grade inflation. In any case, the company has its work cut out before it makes the top grade. The company has had to increase how much it spends on privacy and security, which put a dent in its bottom line and in August contributed to a stock price plunge .