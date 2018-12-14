Joel Saget / AFP/Getty Images

Even if you didn't post a photo on Facebook, a security flaw could have shown it to app developers.

The social network disclosed a photo API bug on Friday that affected up to 6.8 million people on 1,500 apps connected to Facebook, the company said in a statement. The flaw comes from when you give permission for an app to access your photos on Facebook -- like when dating app Tinder uses your photos to set up your profile.

The bug was caused by an error in a code update in September, Facebook said.

The API is only supposed to allow the third-party app to access public photos that you shared on your timeline, but the bug gave developers on these apps complete access to other pictures, even ones that you uploaded but never posted.

"For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo so the person has it when they come back to the app to complete their post," Tomer Bar, Facebook's engineering director, said in the post.

The issue didn't affect photos in Messenger, Facebook said.

The bug existed for 12 days, between September 13 and September 25, according to Facebook. The social network said that it would be rolling out a tool next week for app developers to determine whether their users were affected by the security flaw. Facebook will also be notifying the millions of people exposed through an alert, the company said.

While Facebook discovered the flaw in September, it did not notify the public for nearly three months because it was investigating the issue first to find out how many people were affected, the company said.

A spokesperson said that Facebook notified the Irish Data Protection Commission as soon as it figured out the breach was considered reportable under the European Union's data protection laws.

"We've heard loud and clear that we need to be more transparent about how we build our products and how those products use people's data -- including when things go wrong. These types of notifications are designed to do just that," a Facebook spokesperson said in a statement.

You can check which apps have access to your photos on Facebook in your privacy settings.

The flaw is Facebook's latest security blunder, as the company has been hit with multiple screwups related to privacy this year. A loss of public trust has pushed Facebook to make efforts like hosting privacy pop-ups in New York, London and Dublin this year.

Facebook dealt with controversies this year as well, including the massive Cambridge Analytica data abuse scandal, foreign influence campaigns, and a major breach affecting 29 million accounts. That breach, announced in September, was also an issue with Facebook's API, related to birthday videos on the social network.

"We're sorry this happened," Bar said in the post.

Originally published Dec. 14 at 8:08 a.m. PT.

Updated at 8:16 a.m. PT: With a response from Facebook.