Said to taken place from 13 to 25 September, the bug allowed third-party apps to access photos in areas such as Marketplace and Facebook Stories. This is something rather out of the ordinary since users usually only allowed these apps to access photos that were shared on their timeline alone.
Other than that, these apps might also able to access photos that users uploaded to Facebook but didn’t post them on the platform itself during that specific 12-day period in September. According to the company, it actually stores a copy of such photos for three days so that users would still be to post them up when they return to the Facebook app once again. Facebook stated that up to 6.8 million users and 1,500 apps that were created by 876 developers might have been affected by the photo API bug which has now been fixed. Users that are potentially affected by the bug should be able to see a notification from Facebook (shown above) that will also help them identify the apps that might be affected by the bug. So, do keep a look for that alert on your Facebook account, just to be sure. (Source: Facebook for Developers)