New Facebook Data Breach Exposes User Photos

As we all hurtle towards Christmas Day, Facebook has delivered a festive surprise – a security breach that affects up to

As we all hurtle towards Christmas Day, Facebook has delivered a festive surprise – a security breach that affects up to 6.8 millions users. Merry Christmas! The Facebook breach, which saw third-party apps given access to users’ photos without permission, is the latest in a long line of embarrassments for the social media giant.

Although originally discovered in September, Facebook hasn’t revealed the details of the breach to its users until now. It would be fair to say that it’s had its hands full with other data issues of late, making the latest one less than surprising.

We take a look at what the breach means, how you can tell if you’ve been affected, and how Facebook has responded so far.

Facebook Breach: What Happened and When?

According to Facebook, in a blogpost posted on 14 December, a bug had granted third-party apps permission rights to users’ photographs that they shouldn’t have had. This occurred between 13-25 September.

What should happen when a user gives permission to an app to use access their photos is that the app should only be able to see those images posted in the timeline. However, the bug also gave apps access to images shared in other places, such as Marketplace or Facebook Stories.

More worryingly, it also gave access to photographs that had been uploaded, but not set to public, as the user hasn’t finished their post. Facebook keeps such images for three days in case the user decides to come back later and finish the post.

In terms of numbers, Facebook state that the bug has affected up to 6.8 million users, and 1,500 apps. It’s since been fixed, but it does mean that for a period of almost two weeks, user photos were vulnerable to being accessed without permission by certain apps.

Facebook apologyHow Many Facebook Accounts Have Been Affected?

To find out if you were one of the 6.8 million users affected, log into your Facebook account to see if you’ve received a message from the company about the latest breach. If you haven’t, then you’re safe.

If you do have the message, shown right, then you are one of the unfortunate 6.8 million. Facebook has apparently instructed third-party apps that have accessed your images without permission to take steps to delete any such photos. It also lists the apps that may have had access to your images during this process.

There isn’t anything that the user needs to do to rectify the situation. But, if you’re concerned about privacy after the most recent breach, it’s worth taking five minutes to go through Facebook’s privacy settings to make sure you’re comfortable with the amount of access you’re giving the company.

What Has Facebook Said?

Facebook has become used to saying ‘sorry’ over the past couple of years, and the latest leak was no exception. However, while the company has apologized to those affected, the one part it hasn’t addressed is why it has taken nearly three months for this information to come to light.

Facebook acknowledged that the issue was rectified on 25 September. Even if that was the actual date that Facebook first spotted this issue, it still means a long gap between discovery and announcement – nearly two months, in fact. Not a good look.

If we’re going to cut Facebook some slack (and we’re reluctant to do so), 25 September was the same day that its engineers discovered that hackers had compromised its security and had access to over 50 million accounts. Talk about a bad day at the office.

However, Facebook shared details of that particular breach just three days later.

Facebook’s Bad Year

While there’s never a good time for a company to tell its users that their security may have been compromised, the timing of the latest privacy issue is particularly embarrassing for Facebook.

It comes hot on the heels of other data breaches, and just a day after the company launched its security awareness pop-up shop in New York, specifically designed to educate its users about Facebook privacy and alleviate concerns. Whoops.

Then there’s the rather turbulent year that the company has had on the world stage, being called in front of governments to explain its ambitions and answer concerns about the amount of power it yields. Mark Zuckerberg didn’t even bother showing up to an invite from the UK parliament, which responded in kind by seizing a cache of very unflattering Facebook documents.

It’s unlikely that the public’s perception of Facebook will be reversed easily. And, with so many of us unfriending the social media giant, the latest gaffe is just another in a long line of mis-steps that it can’t afford.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Jack is the Deputy Editor for He has over 15 years experience in publishing, having covered both consumer and business technology extensively, including both in print and online. Jack has also led on investigations on topical tech issues, from privacy to price gouging. He has a strong background in research-based content, working with organisations globally, and has also been a member of government advisory committees on tech matters.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals