"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories", the release said.
The bug also impacted photos that people uploaded to Facebook but chose not to post, the release said.
Facebook noted that the bug, which may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers, had been fixed.
Data stolen from the internet and social media companies has prompted the US Congress to explore a number of initiatives to regulate access to personal information posted online.