Facebook apparently couldn’t get to the end of its awful 2018 without exposing even more user data — photos, in this case. But at this point, we’re so inoculated to Facebook’s colossal leaks and data breaches that I challenge anyone to summon up a more impassioned response than a slight shrug. It’s just not special or even interesting anymore — and that’s deeply screwed up.
Engineering director Tomer Bar revealed the bug in a post to Facebook’s developer site. According to him, the bug came from the permissions users grant to apps to access their Facebook photos. Ordinarily, this is just the photos we’ve posted to our Facebook timelines — all the cute dogs and weekend benders or whatever else we don’t first post to Instagram. But, as Bar points out, sometimes we begin to share photos to Facebook, but, for whatever reason, don’t. Those photos would also have been exposed to any third-party apps, says Bar:
For example, if someone uploads a photo to Facebook but doesn’t finish posting it – maybe because they’ve lost reception or walked into a meeting – we store a copy of that photo so the person has it when they come back to the app to complete their post.
The bug was apparently active for 12 days in September before it was found and fixed. Bar estimates the bug allowed app developers access to up 6.8 million users and 1,500 apps.
It says something about the kind of year Facebook has had that, when you hear this particular bug “only” affected 6.8 million people, it’s dangerously easy to dismiss it with a cynical, “Well what do you expect?” Just think: this time last year, a data breach exposing 6.8 million users’ private photos would have been an absolute nightmare for Facebook. But at this point, it’s more like, “Facebook is gonna Facebook.”
After all, those are rookie numbers compared with the kind of data exposed in Cambridge Analytica (50 million users) or the September access token kerfuffle (29 million users) or even the May private post blunder (14 million users). That’s not even mentioning the search scraping scandal back in April, when Zuckerberg said basically every one of Facebook’s 2.2 billion users should just assume their data had been compromised by a vulnerability in Facebook’s search function.
Perhaps this is what the company is hoping will happen with a story like this. Third-party fact-checkers recently told The Guardian that Facebook is far more interested in saving face than actually battling misinformation. Facebook reps have since denied that claim, but I find it hard to believe the site’s PR team would be unhappy if we all just collectively rolled past this fender bender because it’s not anywhere near as massive as the rest of this year’s 32-car pileups.
Bar says the site will both notify users affected by the breach and offer tools to developers that will help them determine which of their users were affected (sounds mildly redundant) and delete the photos exposed.
He also says, “We’re sorry this happened.” You always are, Facebook.
We’ve reached out to Facebook for comment.