The vulnerability covered just under two weeks, from Sept. 13 to Sept. 25, and it has been fixed, Facebook says.
The bug affected up to 6.8M users and 1,500 applications built by 876 developers, it says in a blog entry.
"We're sorry this happened," the company says. "Early next week we will be rolling out tools for app developers that will allow them to determine which people using their app might be impacted by this bug."
It will also notify affected users.
Subscribe for full text news in your inbox