Due to a bug in the API, third-party applications could access private and even unpublished photos.
We are talking about applications that users give access to their photos on Facebook. Usually the social network shares with them only those images that are published in the user's timeline. But due to a mistake third-party apps could access pictures posted in "stories" on the marketplace Marketplace, as well as to photos that the user uploaded to Facebook, but ultimately did not publish. The latter is possible because the social network stores a copy of the image.
The bug in the API existed from September 13 to 25, 2018, until it was noticed by the Facebook developers. IN During this time, 1,500 applications from 876 developers had potential access to users' personal photos.
Facebook will warn users who may have been affected by this bug. They will receive a notification with a link to a list of applications that may have accessed their photos. The company will also contact the developers applications to delete users' private pictures.
Link to source spot