This critical photo API bug learned by Facebook internal security research team and it affected only users who have login Facebook and granted permission third-party apps in order to access their photos.
Facebook always notify peoples to check which third-party apps accessing their photo and review it to keep it or remove the access to concern app that you have already granted access.
Photos That Affected by This Bug
In this case, Facebook generally, provide access to 3rd party app shares photos only that you have posted on your timeline but this critical bug granted access to these app developers to access the photo that users didn’t post into their timeline just uploaded their photo without post it.
Due to this bug, Facebook believes that some of the developers may have had an access to the photos which is not posted(just uploaded) by users for 12 days in between 13 to September 25, 2018.
Facebook fixed this bug and Apologized to the users and said
“Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug. We will be working with those developers to delete the photos from impacted users.”
if you want to check whether you’re one of the victims among millions just check this link that provide by Facebook.