This article was published on June 21, 2013

Facebook admits privacy flaw impacted 6M of its users, leaking email addresses and telephone numbers

Facebook admits privacy flaw impacted 6M of its users, leaking email addresses and telephone numbers

Facebook revealed today on its Security blog that a bug may have caused information for 6 million users to be shared with others. It’s believed that people who have some contact information about a user could have had access to their email address or phone number.

Currently, the social network company says that there’s “no evidence” saying that the bug was for malicious intents and it has not received any complaints (until now) from any of its users. What’s more, Facebook has not seen any “anomalous behavior” on its platform to suggest any wrongdoing.

Here’s Facebook’s explanation for what happened:

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook.

As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

There’s no specific timeframe on how long the bug has been around — Facebook only says that the bug report was brought to its attention “recently.” It moved to disable the DYI tool to resolve the issue and after the problem had been fixed to the company’s satisfaction, the tool was brought back online.

Facebook also touted its White Hat program to help it keep its security protocols up to snuff. It was through this initiative where the bug was discovered and the company says that it has paid the researcher a bounty for the discovery.

US, Canada, and European regulators have all been notified, according to the company. Users affected should be receiving an email from Facebook soon as the company says it’s in the process of doing so.

Photo credit: Manjunath Kiran/AFP/Getty Images