Over 6.8 million photographs of nearly 5.6 million users have been given away by the Facebook app, as revealed by a photo API bug. Surprisingly, the leak comprises photos the users did NOT upload to Facebook. Pictures that were not shared were leaked by a social media platform. Hidden photos were accessed by the API bug: photographs that comprised Facebook stories, photographs in marketplaces, hidden timeline photographs, and, shockingly, photos in smartphones that the owners have never shared.
Am I part of the Facebook data breach?
Facebook users who have apps impacted by the bug are also expected to be notified. Users are being advised to log into their apps to check whether wrongful access to photos has been gained by any third party app. FB is expected to notify affected users and direct them to a help center, probably allowing them to see the pictures that were compromised. There is not much FB users affected by the data leak can do, until they know which third party apps were involved in the data leaks. Once they have such information, users can log into such apps and cancel access to FB photos, or, better still, log out their Facebook account completely. Accessing FB from a web browser would also be safer than using a FB app. As a precautionary measure, you should remove access to all external FB apps that access your photo.
The company revealed that it had recently become aware of an API bug that had run rampant for a couple of weeks in September. Hidden photos of nearly 5.6 million users were accessed by the developers of the bug. Between the middle and end of September, Facebook granted permission to third party apps to gain access to these pictures. According to reports, affected users can expect to receive notifications from Facebook. The app developers are also expected to receive tools to help check whether they have any unauthorized photos and to delete such images.
The social media platform has again apologized for its intrusive actions and has vowed to investigate the matter. Facebook could pay a steep price — GDPR fines amounting to as much as 4% of its annual global revenue, or 20 million pounds — for its willful silence about the data breach that they should have disclosed within 72 hours of finding out about it. According to a Tech Crush report, Facebook knew about the breach in September. In recent months, especially after the Cambridge Analytica episode, FB has attracted criticism for its negligent handling of user data.
Access given to a third party app via Facebook is restricted to information made available by users of Facebook. The same rule holds good if a user uses Facebook to log into a third party account. Permission to access photos on FB granted to an app is restricted to pictures shared by people on their timeline. The latest breach allowed access to pictures of nearly 5.6 million people who did not share or post them on FB. Some of the users affected by the bug include people who were uploading pictures to FB but did not actually finish posting them.
Past data breaches by FB include the Cambridge Analytica incident, whereby political advertisements were targeted after the improper harvest of personal data of 50 million users. In March 2018, FB was found to be accessing data relating to phone calls and text messages via smartphone apps, again without users’ consent. Private posts of 14 million users were made public in June 2018. In June 2018, WSJ revealed that FB continues to share user data with third party developers, in direct contradiction of the company’s contrasting claim in 2015. In September 2018, private data of 30 million users were stolen by hackers.