A Facebook app icon on a smartphone in New York. Credit: Patrick Sison | AP

Facebook on Friday revealed that a major software bug may have allowed third-party apps to wrongly access the photos of up to 6.8 million users, including images that people began uploading to the site but didn’t post publicly.

The mishap, which occurred over a 12-day period in September, adds to Facebook’s mounting privacy headaches after incidents earlier this year in which it failed to fully safeguard the personal data of its users.

Because of a bug, about 1,500 apps could access “a broader set of photos than usual,” Facebook explained in a blog post.

In general, Facebook allows apps by third-party developers to access photos shared on a user’s timeline. But the bug may have allowed developers to access photos on Marketplace, a Facebook hub for users to buy and sell goods, and some posted in Stories, where users can share short photo or video updates that appear for 24 hours.

“We’re sorry this happened,” Facebook said in its blog post. “Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”