Facebook HQ buildingFacebook headquarters, Dublin, Ireland - 14 Sep 2018

Another day, another Facebook privacy failure.

In a blog post published Friday, the social media giant said it found a glitch that enabled outside apps to access the photos of up to 6.8 million Facebook Login users.

The problem was discovered in Facebook’s photo API, short for application programming interface, a developer tool that lets apps connect to each other and share data.

“Our internal team discovered a photo API bug that may have affected people who used Facebook Login and granted permission to third-party apps to access their photos,” wrote engineering director Tomer Bar, adding that the company has already fixed the issue.

The glitch affected as many as 1,500 apps from 876 developers, the company said. But it also appeared to downplay the matter, describing it as a bug that exposed “a broader set of photos than usual” between Sept. 13 and 25.

Users must approve permissions to connect outside apps to their Facebook accounts. But some of those apps were able to go beyond their permissible scope to access timeline images, Facebook Stories and Marketplace photos.

More troubling, some of those images include pics that were uploaded, but not publicly shared.

Facebook apologized and promised to release tools next week, so developers can figure out which of their app users were impacted.

The company’s fix can block new incidents from occurring, but it can’t take back the user images that have already been compromised during that span of 12 days. Instead, it pledged to work with app makers on deleting the unauthorized images.

The glitch caps off a year of major privacy stumbles for the tech company.

In April, Facebook came under fire over the Cambridge Analytica scandal, which sent chief executive officer Mark Zuckerberg to Washington, D.C., for Congressional inquiries, and in October, the company revealed that an attack on the network compromised the personal information of 29 million accounts.

The breach spanned private data, including names, e-mail addresses, phone numbers and even birthdates, sites visited and places checked into, for some users.