A newly-discovered bug may have given access to photos people uploaded to Facebook but did not publish.
Affecting people who granted permission to third-party apps to access their photos, the bug could involve 6.8 million users.
As many as 876 developers and 1,500 apps could have been able to see photos that users had opted not to share with friends, but had uploaded to the platform.
The bug was in the API that developers use to provide Facebook photo functionality to their apps. For example, if an app allows you to add stickers to your snaps, it would use this API to upload the modified image to the platform.
According to Facebook the API was live with the bug for 12 days between September 13 and 25 this year.
Companies that discover bugs are supposed to declare them within 72 hours or face hefty fines. In this case Facebook missed that deadline while it investigated the issue.
Failure to make this disclosure can open the company to a fine under European GDPR laws. Fines can be up to 4 per cent of annual global turnover, meaning Facebook could be facing a substantial penalty.
Next week the company will roll out tools that will allow developers to determine which people using their apps were affected. It will help developers delete photos they shouldn't have access to.
Affected users will see a notification in the Facebook app soon.
This issue comes after a particularly troublesome few years for the social network. Earlier this year the company admitted that 90 million accounts could have been accessed by hackers.
In July the company was fined £500,000 in October by the Information Commissioner for failing to protect user data.
Register to advertise your products & services on our classifieds website Digger.co.ke and enjoy one month subscription free of charge and 3 free ads on the Standard newspaper.