Friday morning, Facebook disclosed the latest in an ongoing series of privacy and security lapses that have come to define the company in 2018. For nearly two weeks in September, a bug let third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not.

Facebook will eventually alert affected users with a notification, which will send them to a page that details what happened and which apps might have their photos on hand. No need to wait, though; you can head to this page now to see whether you’re one of the unlucky millions. You’re potentially at risk if you use Facebook Login to sign into apps and approved them to access your photos. Up to 1,500 apps, from 876 developers, potentially had access to private pics.

This is not ideal! As Facebook notes in its Friday post for developers, those permissions are supposed to apply to photos that you share to your timeline. Thanks to this bug, developers could also have accessed photos that you shared to other areas of Facebook, including Marketplace and Stories. More alarmingly, they could have accessed any photos that you uploaded to Facebook but chose not to share at all. A small silver lining: Photos shared in Messenger conversations weren’t affected.

Facebook for Developers

Facebook says the bug was introduced on September 13 and that its security team found and fixed it on September 25. If the latter sounds familiar, it’s the same day Facebook discovered that hackers had compromised the accounts of 30 million users. But while the company disclosed that disaster on September 28, it took months to roll out news of its Photos API mess. Which means two things: September 25 was a terrible day to be a Facebook security engineer, and there are legitimate questions over whether Facebook could be in trouble with European regulators.

Europe’s General Data Protection Regulation, which went into effect earlier this year, gives companies 72 hours to notify the authorities of a breach. It’s been well over 72 days since Facebook first spotted the Photos API issue.

That doesn’t necessarily mean the company skirted the rules, though. Facebook argues that it needed that time to investigate whether the incident qualified as a breach under GDPR in the first place, and that it told the appropriate authorities within 72 hours of making that determination. Similarly, Facebook says it took so long to notify affected users because it needed time to identify and contact developers, and to build a “meaningful way” to notify users that they’d failed to protect their data. Given the number of times Facebook has had to do so this year, you’d think they’d have it down by now.

In fairness, the GDPR question isn’t entirely cut-and-dried. Companies get a pass on notifying regulators within 72 hours if the breach “is unlikely to result in a risk to the rights and freedoms,” and they only have to alert individual users to an incident if it “is likely to result in a risk to the rights and freedoms.” The GDPR offers some guidelines about what rises to that level, but it also leaves plenty of room for interpretation. While a hacker gaining access to bank account numbers and unencrypted passwords would certainly qualify, privacy lawyers say that photos exposed through an API to developers seems like legitimately murkier territory.

"There’s a lot of anger and finger pointing and frustration about how do we still have security bugs and privacy bugs, and how are these things still happening?" Alex Rice, HackerOne

Meanwhile, Facebook has yet to fully resolve the issue. The company says it will roll out tools for app developers early next week to help them determine which of their users might have been affected, and it will further help with the deletion of any photos that they have inappropriate access to. Facebook also recommends that if you are impacted, you log into any apps you’ve given Facebook photos permissions to double-check what they have on hand. It’s unclear if, beyond that sort of personal audit, Facebook can guarantee that every developer will delete every unauthorized photo.