Facebook said a software bug led some users to post publicly by default regardless of their previous settings.
The bug affected as many as 14 million users over several days in May.
The problem, which Facebook said it has fixed, is the latest privacy scandal for the world's largest social media company.
It said the bug automatically suggested that users make new posts public, even if they had previously restricted posts to "friends only" or another private setting.
If users did not notice the new default suggestion, they unwittingly sent their post to a broader audience than they had intended.
Erin Egan, Facebook's chief privacy officer, said the bug did not affect past posts.
Facebook is notifying users who were affected and posted publicly during the time the bug was active, advising them to review their posts.
The news follows recent furor over Facebook's sharing of user data with device makers, including China's Huawei. The company is also still recovering from the Cambridge Analytica scandal, in which a Trump-affiliated data-mining firm got access to the personal data of as many as 87 million Facebook users.
Jonathan Mayer, a professor of computer science and public affairs at Princeton University, said on Twitter that this latest privacy gaffe "looks like a viable Federal Trade Commission/state attorney general deception case."