The company blames a bug.
"Some third-party apps may have had access to a broader set of photos than usual for 12 days between September 13 to September 25, 2018," explained Tomer Bar, a Facebook employee. In a blog post published by Bar, Facebook has addressed an issue they say affected "up to 6.8 million users and up to 1,500 apps built by 876 developers." Their statement attributes the cause of the leak to a technical bug which has been fixed.
The company's post explains which photos were roped in for exposure by the malfunction.
"The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn't finish posting it - maybe because they've lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post."
Their blog post also serves as an official apology.
"We're sorry this happened. Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users."
Facebook shares were down by 1% at $143.52, in early afternoon trades, the days after the apology.