Another day, another bug reported from Facebook.

On Friday, the social platform said that it discovered a bug in its photo application programming interface (API) that allowed third-party apps to access a broader set of photos than usually permitted. Users who allowed third-party apps access to their photos may have been affected. 

The bug was caused by an error in a code update for the photo API and may have impacted up to 6.8 million users in total. Facebook said it immediately began investigating the issue. Once it was discovered and notified, the Irish Data Protection Commission (IDPC) concluded the reportable breach under the General Data Protection Regulation (GDPR).

The company said in a blog post that photo access was only available from September 13 to September 25, 2018. The bug also impacted photos that people uploaded to Facebook but chose not to post.

“For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post,” Tomer Bar, Facebook’s engineering director, said in the post.

However, the bug did not affect photos sent in Messenger conversations.

Facebook said it will notify users who have been impacted by the bug through an alert which will direct them to the platform’s Help Center link.

“We’ve heard loud and clear that we need to be more transparent about how we build our products and how those products use people’s data – including when things go wrong,” a Facebook spokesperson told AfroTech. “These types of notifications are designed to do just that.”