SAN FRANCISCO — Facebook announced on Friday that it had discovered a bug that allowed outsiders access to private photos, potentially affecting some 6.8 million people who use the service.
“We have fixed the issue but, because of this bug, some third-party apps may have had access to a broader set of photos than usual,” Tomer Bar, an engineering director at the company, said in a blog post.
The announcement is the latest in a string of problems the social network has had with consumer data. In March, The New York Times reported that Cambridge Analytica, a third-party firm, harvested the data of Facebook users without their express knowledge or consent. And in September, a separate, more serious breach gave hackers full access to the Facebook accounts of tens of millions of users.
Facebook has pledged to better protect user information. “If we can’t, then we don’t deserve to serve you,” Mark Zuckerberg, the company’s chief executive, said in a note to users this year.
This most recent incident is somewhat less severe than previous ones. Around 1,500 third-party apps had access to users’ uploaded photos — even if they had not posted them publicly to Facebook — from Sept. 13 to Sept. 25.
But it is still another headache for Facebook, which has faced intensifying scrutiny from regulators and the public after a year of embarrassing failures protecting customer data.
“We’re sorry this happened,” Mr. Bar added.
In Europe, regulators signaled growing displeasure with Facebook’s privacy policies. The company’s main data-protection regulator in the European Union said on Friday that the mounting number of problems require a deeper investigation.
The Irish Data Protection Commission said it started an inquiry this week after receiving “a number of breach notifications from Facebook” over the past six months. Under the new European privacy law, known as the General Data Protection Regulation, or G.D.P.R., the investigation could lead to a fine of up to 4 percent of Facebook’s global revenue, or about $1.63 billion. The regulator can also require Facebook to change how it processes data in the region.
“We have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provision of the G.D.P.R.,” the Irish Data Protection Commission said in a statement.
The regulator started another investigation after Facebook disclosed the data breach in September. Ireland is the lead privacy watchdog of Facebook in the European Union because the company’s European headquarters is in Dublin.