Facebook apologized on Friday for a “bug” that may have exposed unposted photos from as many as 6.8 million users over a 12-day period through third-party applications.

In the latest in a string of incidents on data protection, the leading social network said using Facebook login and granting permission to third-party apps to access photos may have led to the unintended lapse between September 13 and 25.

“When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline,” engineering director Tomer Bar said in a message to developers.

Facebook said it has fixed the breach and will roll out next week “tools for app developers that will allow them to determine which people using their app might be impacted by this bug.”

Those affected by the bug were apps “that Facebook approved to access the photos API and that individuals had authorized to access their photos,” Facebook added. The bug allowed those apps to see pictures of Facebook users that they were not granted access to.

Facebook said it will give its users notification about the possible exposure of their private photos, and that it will be working with developers to delete those copies of photos from impacted users.

The disclosure is another example of Facebook’s failure to properly protect users’ privacy that may drew more criticism of its privacy policy.

The world’s largest social media network has been grilled over the past year for its mishandling of user data, including its involvement in a privacy scandal in March when Cambridge Analytica, a British political consultancy firm, was accused of illegally accessing the data of more than 87 million Facebook users without their consent.

Last month, Facebook announced that up to 50 million users could have their accounts controlled by hackers due to a security bug that its CEO Mark Zuckerberg called “very serious.”