Another day, another Facebook (META -1.65%) privacy scandal. The latest comes in the form of a bug with Facebook's photo API that allowed third-party apps to access photos that users may have uploaded but not shared. Unlike some of the other controversies that were attributable to old bugs, this is a recent development, affecting users between Sept. 13 and Sept. 25 of this year. In addition to unshared photos, third-party apps may have been able to access photos shared in Facebook Stories or posted on Marketplace, the platform's classifieds section.

Those apps are only supposed to be allowed to access photos that a user shares on their timeline.

Generic illustration of a Facebook post

Image source: Facebook.

"We're sorry this happened."

Facebook says that users may sometimes upload a photo but not share it, perhaps because they lose cellular reception or must tend to something in the real world. In those situations, the company keeps a copy of the photo for three days as part of the draft post so that the user can come back later to finish sharing it. These are among the types of photos that were potentially exposed to third-party apps.

Approximately 6.8 million users were affected by the bug, and upwards of 1,500 apps built by almost 900 developers could have had the unintended access. The timing couldn't be worse: Just yesterday, Facebook marketing exec Carolyn Everson said that privacy was "the foundation of our company."

Of course, Facebook has apologized. But users, investors, and lawmakers are getting tired of empty apologies. The news comes just a couple months after the company disclosed a security breach that affected 30 million users, which was actually better than the 50 million users it thought were affected initially. Those users had all sorts of personal information compromised, including phone numbers, email addresses, and location data, among other types of data.

Facebook wants (more) payment credentials

Meanwhile, Recode separately reported that Facebook is working on creating a pay-TV platform, where the company will sell subscriptions to premium content channels like AT&T's HBO, CBS' Showtime, or Lionsgate's Starz, among others. The channels would presumably be available on Facebook Watch, which the company said yesterday hit 400 million monthly active users (MAUs) just four months after launching globally.

While most of the content currently available in Watch is free and ad-supported, the report shows that Facebook has grand ambitions to build out the platform to include premium paid content -- and get a cut of subscription revenue. Many tech giant peers, including Apple and Amazon, utilize a similar strategy. Of course, if a Facebook user were to subscribe, they would still be able to access those channels outside of Watch as well.

But Facebook's never-ending string of privacy debacles steadily erode user trust. Will users really trust the company with their payment credentials to handle the billing relationship? Of course, plenty of people have already given Facebook payment credentials, for features like peer-to-peer (P2P) payments in its messaging services or buying virtual goods within apps and games, as well as anyone who buys ads. The company's payments segment stopped growing a long time ago, but it's still chugging along, generating $188 million in revenue last quarter.

Trying to launch a pay TV platform will entail asking far more users to hand over payment credentials, at a time when users can't even trust Facebook with pictures of their lunch.