Facebook bug exposed contact info of 6 million users

Facebook is alerting 6 million of its users that their email addresses or phone numbers were inadvertently shared with other members.

(Credit: Facebook)

The social network said on Friday that it has discovered and patched a bug in its "Download Your Information" tool that unintentionally exposed some members' contact details. The bug was reported earlier this month through the company's White Hat program, which rewards security researchers for reporting vulnerabilities. The bug was fixed within 24 hours, a company spokesperson told CNET.

"It's ... something we're upset and embarrassed by," Facebook said in a note published to its security blog. "We'll work doubly hard to make sure nothing like this happens again."

The glitch itself is a bit difficult to explain, but essentially, if you chose to download a copy of your data, your Facebook archive may have included the phone number or email address of a person who you are connected to, but did not have those particular contact details for. The extra information was provided because of a hiccup during the friend recommendation process.

Facebook explained the situation on its security blog with the following description:

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don't want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DIY) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook, and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DIY tool.

Facebook said that it has no knowledge of the bug being used maliciously, and that it has not received any complaints from users. Still, the company has notified regulators in the US, Canada and Europe of the matter. Affected members will receive an email that provides insight around their contact information that was shared and the number of people it was showed to, the spokesperson said.

As far as privacy blunders go, this one is rather benign. The exposed contact information was only shared with parties who already had some type of contact information on the person. But privacy advocates may use the gaffe as another reason to rail against the social network, affected parties could file lawsuits and the US Federal Trade Commission (FTC), an agency that has had run-ins with Facebook in the past, may want to investigate further.

Via CNET.com



Add Your Comment 1


Post comment as
 

DamienC1 posted a comment   
Australia

I'm one of those that got an email. They showed me what was showed to others (my work email, of no harm as it's on every business card and the yellow pages) and also how many people may have seen it. (one). In theory it's no biggie if you only put on facebook what is already out there for everyone to see anyway.




Sponsored Links

Recently Viewed Products