Facebook's software for letting users download their data inadvertently exposed the contact information of 6 million users, the company said today in a post on its security blog. Phone numbers and email addresses that are stored as part of its friend-recommendation algorithms were inadvertently attached to their contacts' Facebook accounts, so that someone downloading an archive through Facebook's Download Your Information tool may have received other people's information.
Facebook noted that the information was not necessarily accurate or up-to-date. The company has not received any complaints that users' information was used maliciously, it said. In most cases, a person's contact information was only downloaded "once or twice," according to Facebook. Developers and advertisers cannot use the tool and therefore did not receive any contact information.
"We'll work doubly hard to make sure nothing like this happens again."
The bug was uncovered through the company's White Hat program, which enables security researchers to submit vulnerabilities in exchange for cash rewards. After verifying the bug, Facebook shut down the archive tool for a day while it fixed the problem.
Affected users will be notified by email. The company tried to play down the possible impact of breach: "Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again."