Facebook Inc. revealed Friday that a major software bug may have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn’t post publicly.

The mishap, which occurred over a 12-day period in September, adds to Facebook’s mounting privacy headaches after a series of incidents earlier this year in which it failed to fully safeguard the personal data of its users. It has already prompted European regulators to investigate — and brought fresh calls for the company to be fined.