Facebook has posted on its blog for developers about yet another privacy issue, this time involving photos. 

6.8 million users were affected over a 12 day period in September. Yes, three months ago. Facebook hasn't yet revealed when it came across the bug, but it was fixed on 25 September and the social network has filled us in on other details

GDPR rules state that you must disclose a data breach within 72 hours, so it's unclear whether Facebook complied with that or not.

The bug was within the code that developers use to access Facebook services. It enabled apps you'd approved to view your timeline pics to see a lot more than that. 

Facebook Stories pics were also accessed (nobody uses FB Stories so that's OK) plus stuff from Marketplace but stunningly it also enabled these apps to see pictures you'd uploaded but never shared. 

Up to 1,500 apps are affected, built by 876 developers.

Facebook adds it will provide a tool for developers to check if they were affected and users will be shown the notification above if FB thinks they might have had their photos accessed. 

Facebook has been stung by recent privacy issues and there have been numerous disclosures in recent months.

It's unclear why Facebook hasn't disclosed this issue until now given that it has talked about other problems over the intervening time period.