Facebook has revealed that a software bug exposed the photos of up to 6.8 million users, including pictures they had not posted.
It made the announcement a day after hosting its pop-up privacy experience "It's Your Facebook" in New York's Bryant Park.
It said several third-party apps had access to "a broader set of photos than usual" for 12 days in September.
The company said it would notify affected users.
It is the latest in a series of data breaches at the social network, which has faced scrutiny following the Cambridge Analytica data scandal.
"When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline.
"In this case, the bug potentially gave developers access to other photos," the company said in a blogpost.
It said up to 1,500 apps were affected by the glitch.
As well as letting developers access photos on a user's timeline, it gave them access to photos posted in Stories and Marketplace, among other features.
It also let them see photos that people had uploaded but not posted on Facebook, for example if they had started writing a post but not finished it.
Facebook said it would be working with affected developers to help them "delete the photos from impacted users".