"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories", the release said.
The bug also impacted photos that people uploaded to Facebook but chose not to post, the release said.
Facebook noted that the bug, which may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers, had been fixed.
The statement comes after reports that the US high-tech giant Facebook had sold users' personal data to third parties. The reports appeared after a release of the company's inner documents suggesting Facebook joined "whitelisting" agreements with other tech companies and app developers, allowing them to access user details after the 2014-15 platform update.
Data stolen from the internet and social media companies has prompted the US Congress to explore a number of initiatives to regulate access to personal information posted online.
