Facebook on Friday disclosed that a bug that may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.
Facebook's White Hat program - external security researchers that help the social network maintain security standards - reported that approximately 6 million Facebook users had email addresses or telephone numbers shared.
Facebook added that for almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included.
When people upload their contact lists or address books to Facebook, Facebook tries to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations Facebook ends was inadvertently stored in association with people?s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. Facebook said that only people on Facebook - not developers or advertisers - have access to the DYI tool.
After reviewing and confirming of the bug, Facebook said it immediately disabled the DYI tool to fix the problem and turned the tool back on when the problem had been fixed.
"Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," Facebook said.
Facebook added that it had notified regulators in the US, Canada and Europe, and that it would be notifying affected users via email.