The company said a bug recently allowed third-party app developers to access photos that may not have been publicly released. Facebook estimates that up to 6.8 million users could be affected.
The Irish Data Protection Commission, which oversees Facebook's compliance with European regulations, announced Friday that it had "started a legal investigation" against Facebook based on several data breaches that the company had notified it this year.
"We're sorry that this happened," he added.
Users' photos were exposed in September over a 12-day period, according to the blog entry.
Asked why Facebook has been waiting to inform the public about the problem, a Facebook spokesperson told CNN Business, "We've been investigating the problem since it was discovered to understand the implications of it can make sure that we turn to the law The developers and the people affected by the mistake then took some time to build a meaningful way to notify the users and to handle the translations. "
As a result of this bug, the company believed that 1,500 apps created by 876 developers could have accessed the photos.
Facebook announced that potentially affected people will be notified.