Facepalm: Facebook's latest privacy setback actually took place in September yet curiously enough, the company waited more than two months to tell users about it. The bug isn't as damning as some of its other scandals but it's not exactly a good look, either.

Facebook on Friday announced yet another privacy setback related to third-party data access. The social network believes the snafu may have impacted up to 6.8 million users and as many as 1,500 apps from more than 875 developers.

During a 12 day span between September 13 and September 25, 2018, a bug in Facebook’s photo API may have allowed some third-party apps to access user photos that they didn’t have permission to.

Tomer Bar, Facebook’s engineering director, said that when someone gives permission for an app to access their photos, the app is usually only granted access to pictures that people share on their timeline. The bug, Bar said, potentially gave developers access to other images, like those shared on Marketplace, Facebook Stories or those that were uploaded to the platform but never posted.

Bar pointed out that the only apps affected by the bug are ones that Facebook had approved to access the photos API and that individuals had authorized to access their photos.

Facebook will be rolling out tools next week that’ll allow developers to determine which people using their app might have been affected by the bug and will work with said developers to delete the photos. The social network will also alert impacted users via Facebook and direct them to the Help Center for more information.

The bigger issue here, as TechCrunch points out, is disclosure. Facebook is just now going public with a bug it discovered well over two months ago. Not only is that a bad PR look, it could land the company in hot water with regulators.

Lead image courtesy TY Lim via Shutterstock