The company said the mistake happened as it worked to redesign how it displays parts of user profiles that are always public.
Posts are public by default for new accounts, but every Facebook user can limit who sees each post by using what the company calls an “audience selector.” People can also make new posts only visible to friends or sub-groups of friends, for example, by altering this default through their privacy settings.
But, for four days in May, the bug ignored user preferences and set the default audience for all new posts to “public,” the company said. Facebook stopped the bug on May 22 but did not restore the proper privacy settings to all posts until May 27.
The social network is working to rehabilitate its relationship with users after the Cambridge Analytica controversy, which drew renewed attention to how much data the company collects. Facebook is currently in the process of rolling out new privacy menus to all of its 2 billion users.
But the controversies keep on coming. This week, The Washington Post reported that Facebook shared special user data with Huawei — a Chinese firm that lawmakers say poses a national security threat. The news prompted swift response from lawmakers who asked Facebook for more information on those partnerships, and raised further questions about whether Facebook has violated a privacy agreement it had made with the government in 2011.
Those affected by this latest issue will receive notifications from Facebook starting Thursday.
The problem did not change who could see older posts, Facebook chief privacy officer Erin Egan said in a statement. People could have changed the individual audience setting on posts, but would have had to notice the setting was different from what they'd chosen.
“We’d like to apologize for this mistake,” Egan said.
Correction: A previous version of this story said that 14 million people had their posts publicly shared. But not all of those users affected by the bug may have had their information shared.