Whoops.

Again.

Facebook disclosed Thursday that a software bug may have switched some users’ posts to “public” without telling them. That means that status updates, photos, and other Facebook activity that people thought they were sharing just with their friends, or with friends of friends, would have instead been viewable by anyone—unless they noticed the settings change and fixed it.

The bug affected 14 million users around the world, Facebook told Recode and other news outlets. It was active for 10 days, from May 18 to May 27, before being fixed. Facebook said Thursday it has begun notifying those affected and prompting them to review their posts and privacy settings from that time period.

It’s the latest glaring privacy snafu by a company that has spent much of 2018 under scrutiny over its handling of users’ data. The bug happened just a month after CEO Mark Zuckerberg had spent two days testifying to Congress about Facebook’s privacy practices in the wake of the Cambridge Analytica scandal. The past week has also brought fresh revelations about how Facebook shared data with mobile phone–makers, including Chinese device-makers that are viewed by some in Washington as national security threats.

In each of those cases, the concern revolved around third parties such as companies and app-makers to whom Facebook handed potentially sensitive user data. But this bug involved no such middleman: Facebook simply undermined its own privacy settings by showing people’s private posts to strangers.

Facebook did not say how many people actually posted content that was made public without their explicit consent. Presumably, some people noticed when composing their posts that the audience indicator now said “public” and changed it back. No doubt others went on posting without being aware of the change.

Facebook apologized for the bug and offered the following statement to TechCrunch:

We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We’d like to apologize for this mistake.

TechCrunch’s Josh Constine reports that the bug occurred as Facebook was testing a new “featured items” section of people’s profiles that would be visible to the public, even if the rest of their profiles were private. In the process, Constine writes, “Facebook inadvertently extended that setting to all new posts from those users.”

This is bad news for Facebook, for sure. How bad likely depends on the level of outrage it incurs from users, which might in turn depend on how many stories surface in the coming days of serious real-world consequences stemming from the bug.

As someone who's run a social network with private sharing, this makes my heart drop into my stomach. The failure mode is people's private messages being publicly visible for days — mix that with exes, with employers, just with ordinary social relationships. https://t.co/h11pTW3cxc — Yonatan Zunger 🔥 (@yonatanzunger) June 7, 2018

Clearly this was an accident on Facebook’s part, but that shouldn’t change the takeaway for any user who cares about their privacy. No matter how careful a company is with your online data, there’s always a chance it will be exposed, and the more you use a service such as Facebook, the higher the odds that eventually you’ll end up compromised in some way or another.