Oh, Facebook. Once again, there's a user-privacy issue. This time, a photo API bug accidentally exposed millions of users' photos to third-party apps, according to a post today (Dec. 14) on the company's developer blog.
Usually, when you give an app permission to access your Facebook photos, that app can only access photos shared on your Timeline. However, from Sept. 13 to Sept. 25, 2018, this bug inadvertently gave third-party apps access to photos that were not shared on timelines. This would include photos posted to Marketplace or Facebook stories as well as, crucially, photos that were posted privately or cancelled before they finished uploading.
Facebook claims it will work with app developers to identify which photos were erroneously exposed and delete them. Potentially affected Facebook users will get a Facebook notification, so keep an eye out for that.
If you believe you may have been affected by this bug, you should double-check the apps you've granted access to your Facebook photos during the past few months. Then, make sure you've deleted or revoked access to any pictures that shouldn't be there.
Also, if this kind of thing scares you, it might just be time to delete your Facebook account.