Facebook Inc said on Friday it has discovered a bug that may have affected up to 6.8 million people who used Facebook login to grant permission to third-party apps to access photos.
The incident may have affected up to 1,500 apps built by 876 developers, the company said.
Facebook said some third-party apps may have gained access to a broader set of photos than usual for 12 days between Sept. 13 to Sept. 25.
"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline," engineering director Tomer Bar said in a message to developers.
"In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories."
Bar added that the bug also impacted photos that people uploaded to Facebook but chose not to post -- in situations where someone uploads a photo but doesn't finish posting it, for example.
"We store a copy of that photo so the person has it when they come back to the app to complete their post," he said.
Bar said affected users would be notified and directed to a help center where they will be able to see what images may have been affected.
"We're sorry this happened," he said. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."
Facebook has been facing heightened scrutiny over its data protection practices in recent months, notably since the revelations over hijacking of personal data of tens of millions of users by Cambridge Analytica, a consultancy working on Donald Trump's 2016 campaign.
Facebook shares were down 1.3 percent at $143.07 in early trading on Friday. The Nasdaq composite index fell 0.9 percent.