Facebook security bug exposes contact information of millions of users

22 Jun 2013

A Facebook security bug has exposed contact information of millions users to other users who were connected to them. Six million accounts have been affected due to the bug.

''When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations,'' the security team wrote in a blog post published today.

''Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook,'' the post continued. ''As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.''

According to Billy Gallagher of TechCrunch, a Facebook spokesperson told him the bug had been live since last year, and was discovered last week. Facebook said the bug was fixed by the company's security team in less than 24 hours after it was brought to their attention.

However, no financial or other information had been revealed to others. Also there was no ''evidence that this bug has been exploited maliciously," Facebook said yesterday in a security note, adding it was "upset and embarrassed" by the glitch.

According to Facebook, affected users were being notified by email, even as it stressed that the practical impact was likely to be "minimal," due partly to improper data sharing only occuring between users who already had some connection.

"We take people's privacy seriously, and we strive to protect people's information to the very best of our ability," Facebook said, adding "Even with a strong team, no company can ensure 100 percent prevention of bugs." The company added in this case, the bug "may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them."

"We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behaviour on the tool or site to suggest wrongdoing."

"Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by.