Facebook notified App developers
[developers.facebook.com] on Friday, Dec. 13 about a bug in the FB photo API that accidentally allowed some apps to access photos that were not intended to be shared. The bug had been fixed when it was first noticed last September. It had been active for 12 days, from the 13th to the 25th of September.
The bug did not affect everyone because it required users of affected Apps to give permission to access their photos. The problem was that the API bug then allowed Apps to access all photos
and not just those they had shared on their timelines. People who had uploaded photos but never posted them were surprised, as were people whose Marketplace or Facebook Stories photos were being shared.
Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.
They will be notifying users who were likely to have been affected, and plan to offer a help center for those affected. FB also suggests that users who may have been affected to check to see what photos the have access to.