Facebook bug exposed up to 6.8M users’ unposted photos to apps

Reset the “days since the last Facebook privacy scandal” counter, as Facebook has just revealed a Photo API bug gave app developers too much access to the photos of up to 5.6 million users. The bug allowed apps users had approved to pull their timeline photos to also receive their Facebook Stories, Marketplace photos, and most worryingly, photos they’d uploaded to Facebook but never shared. Facebook says the bug ran for 12 days from September 13th to September 25th. Facebook tells TechCrunch it discovered the breach on September 25th, and informed the European Union’s privacy watchdog the Office Of The Data Protection Commissioner (IDPC) on November 22nd. The IDPC has begun a statuatory inquiry into the breach.

Facebook provided merely a glib “We’re sorry this happened” in terms of an apology. It will provide tools next week for app developers to check if they were impacted and it will work with them to delete photos they shouldn’t have. The company plans to notify people it suspects may have been impacted by the bug via Facebook notification that will direct them to the Help Center where they’ll see if they used any apps impacted by the bug. It’s recommending users log into apps to check if they have wrongful photo access. Here’s a look at a mockup of warning notification users will see:

Facebook initially didn’t disclose when it discovered the bug, but in response to TechCrunch’s inquiry, a spokesperson says that it was discovered and fixed on September 25th. They say it took time for the company to investigate which apps and people were impacted, and build and translate the warning notification it will send impacted users. The delay could put Facebook at risk of GDPR fines for not promptly disclosing the issue within 72 hours that can go up to 20 million pounds or 4 percent of annual global revenue.

However, Facebook tells me it notified the IDPC that oversees GDPR on November 22nd, as soon as it established the bug was considered a reportable breach under GDPR guidelines. It says that it had to investigate to make that conclusion and let the IDPC know within 72 hours once it had. The head of communications for the IDPC Graham Doyle tells TechCrunch “The Irish DPC has received a number of breach notifications from Facebook since the introduction of the GDPR on May 25, 2018. With reference to these data breaches, including the breach in question, we have this week commenced a statutory inquiry examining Facebook’s compliance with the relevant provisions of the GDPR.”

Facebook tells me the bug did not impact photos privately shared through Messenger. The bug wouldn’t have exposed photos users never uploaded to Facebook from their camera roll or computer. But photos users uploaded but either decided not to post, that got interrupted by connectivity issues, or that they otherwise never finished sharing could have winded up with app developers.

The privacy failure will further weaken confidence that Facebook is a responsible steward for our private data. It follows Facebook’s massive security breach that allowed hackers to scrape 30 million people’s information back in September. There was also November’s bug allowing websites to read users’ Likes, October’s bug that mistakenly deleted people’s Live videos, and May’s bug that changed people’s status update composer privacy settings. It increasingly looks like the social network has gotten too big for the company to secure. Curiously, Facebook discovered the bug on September 25th, the same day as its 30 million user breach. Perhaps it kept a lid on the situation in hopes of not creating an even bigger scandal.

That it keeps photos you partially uploaded but never posted in the first place is creepy, but the fact that these could be exposed to third-party developers is truly unacceptable. And it seems Facebook is so tired of its failings that it couldn’t put forward even a seemingly heartfelt apology is telling. This company’s troubles are not only souring users on Facebook, but employees and the tech industry as large as well. CEO Mark Zuckerberg told Congress earlier this year that “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you.” What does Facebook deserve at this point?

Ridesharing IPOs and $850M for Luckin, Plaid and Zymergen

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines.

This week we had the regular crew back together, which was good fun. Connie took point, we had Danny mic’d up in New York and I was onsite to help the crew natter along with Bubba Murarka, a former VC and founder who now cuts checks on his own.

Thematically, this was a week of mega rounds, so we had little choice but to go over more than a few. And Uber is out there doing its IPO thing. So, we started with cars and pivoted to rounds.

Regarding Uber and Lyft, it’s mostly been said, but we took a noodle through the historical context of two other temporally close IPOs between rivals, Visa and Mastercard, and talked about the impending offerings for a minute, as we couldn’t resist. Do they lose too much money? Is there an advantage to going first? That sort of thing.

After, we got to the new funding rounds. First up was the Luckin Coffee $200 million round. The rise of Luckin in China has been simply astounding. I wanted to know some boring financial results, which our guest found a bit old-fashioned, but we all agreed that the company has hit on something big. And something big in China to boot, which means the company has been heading straight north.

Next, we touched on Plaid and its own $250 million infusion. The Kleiner-sourced round was far more money than the financial API company had raised before. It was a staggering amount of capital. Coming on the heels of the recent public-market success of Twilio and the private-market success of Stripe, both API-based companies, may have played a part in the rounds construction.

The good times are not merely coffee and software-focused, however. Zymergen also picked up a nine-figure round: $400 million.

So much for a seasonal slowdown. Hang tight, we’ll be right back.

Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple PodcastsOvercast, Pocket Casts, Downcast and all the casts.