Facebook’s latest leak has exposed private photos from up to 6.8 million users to apps that weren’t supposed to see them.

These apps were sanctioned to see a restricted set of users’ pictures, but a bug allowed them to see pictures they weren’t granted access to.

These included photos from people’s stories as well as photos that people uploaded but never posted (because Facebook saved a copy anyway).

The exposure occurred between September 12th and September 25th. Facebook said in a statement that it discovered the breach on the 25th; it isn’t clear why the company waited so long to disclose it.

Affected users will receive a notification alerting them that their photos may have been exposed. Facebook also says it’ll be working with developers to delete copies of photos they weren’t supposed to access.

In total, up to 1,500 apps from 876 different developers may have inappropriately accessed people’s pictures.

Facebook said the bug had to do with an error related to Facebook Login and its photos API, which allows developers to access Facebook photos within their own apps.

All the impacted users had logged into a third-party app using their Facebook accounts and granted them some degree of access to view their photos.

Facebook has been in hot water again and again this year over data breaches and exposures, most notably with Cambridge Analytica.

In many cases, the problems haven’t been caused by hackers, but they have stemmed from issues within Facebook itself.

Google has already pledged to shut down Google+ over similar issues. Twice this year, the service exposed information inappropriately to developers.