If you’ve been operating under the assumption that your private Instagram photos have indeed been private this whole time, you might be in for a rude awakening. Quartz recently uncovered a flaw that allowed people to see images from private accounts under certain circumstances. Here’s how it worked.

Prior to the patch, any photo that was shared via web links from a public account that was later changed to a private account could still be viewed using the link. The publication notes that the exploit only worked on the web; accessing the now-private photos in Instagram’s Android or iOS apps proved impossible.

Following the patch, said web links can only be viewed by your followers. The exception to this, of course, is if you share an image from Instagram on another social network like Facebook or Twitter. The only way to bar access to a photo under the latter circumstance is to delete it.

Instagram acknowledged the issue in a statement to Quartz late last week before patching the flaw. An inspection of the company’s privacy policy found no mention of how a user’s photos are to be handled when going from public to private.

While not seen as a major setback for Instagram itself, the flaw and any other potential privacy glitches could have an impact on parent company Facebook.

Following a privacy dispute with the FTC, the social network agreed to undergo an independent review of its privacy policies on a bi-annually basis for the next 20 years.