Facebook bug exposes contact information of 6 million users

A bug, that Facebook said has been fixed, inadvertently shared email addresses or telephone numbers of approximately 6 million users, according to a Facebook blog post.

The bug, which was found through Facebook’s “White Hat Program” that works with security researchers around the world, exposed information to people that may have been “ connected” with the person who’s information was shared.

The company post explained the possible consequences:

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

The company said that it disabled the DYI tool for a day but has reinstated it after fixing the bug.  Facebook says that it has “no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing.”

In the blog post, Facebook said it was “upset and embarrassed” by the bug but said that “the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another.”

Facebook has notified regulators in the U.S., Canada and Europe and its in the process of notifying affected users via email.

Facebook’s White Hat Program compensates security researchers for finding and pointing out Facebook security vulnerabilities.

Disclosure: Larry Magid is co-director of ConnectSafely.org, a non-profit Internet safety organization that receives financial support from Facebook and other Internet companies. 

Leave a comment