Facebook just can't get it together as we learn about another major privacy breach on their platform. This time it was caused by an internal bug that caused any new posts created by 14 million Facebook users to be posted publicly rather than using their default setting.
When posting on Facebook, users have the ability to specify who can see their posts by using a drop down menu where they can select "Public" (anyone), "Friends", or "Friends and Connections". This drop down menu is called the "audience selector" and will retain the setting that you previously used for new posts going forward.
According to CNN, between May 18th and the 22th a bug caused around 14 million people to have their default sharing settings set to "Public" for any new Facebook posts that were created. This means any posts that they made could be read by anyone regardless of their default setting.
Facebook told BleepingComputer that the "error occurred while we were building a new way to share featured items on your profile, like a photo. Since these featured items are public we inadvertently made the suggested audience for all new posts -- not just these items — Public."
After the bug was detected, Facebook engineers spent an additional 5 days resetting any new posts made by these users to the default setting that they had previously been using.
"We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts," said Erin Egan, Facebook's chief privacy officer. "We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before -- and they could still choose their audience just as they always have."
For those who are affected, Facebook will be displaying privacy notifications that appear when a user logs into Facebook via the web or mobile app. These notifications state that Facebook "recently discovered a technical error between May 18 and 27 that automatically suggested a public audience when you were creating posts."
An example of how the notifications will be displayed can be seen below.
Facebook has stated that these types of notifications will be used going forward to report privacy issues or breaches.
Update 6/7/18 19:08EST: Updated with information provided by Facebook to BleepingComputer and to further make it clear it was news posts, not existing posts that were set to Public. Facebooks official announcement is here.