Facebook has just announced that a Photo API bug gave app developers access to user photos outside of the scope intended for 5.6 million users. This includes granting apps access to Facebook Stories, Marketplace photos, and photos that were uploaded but not shared. The bug was in effect from September 13th to September 25th.
As of now, Facebook is working on releasing tools to allow app developers to determine if they were impacted by this bug, and will work with them to delete unauthorized photos. Facebook will also be notifying any users they suspect may have been affected.