Facebook has started sending out warning emails to users whose personal information has been compromised by the security bug it confirmed yesterday, confirming which pieces of data were exposed. The bug exposed some six million Facebook users’ email addresses and telephone numbers to other site users because Facebook had “inadvertently stored [it] in association with people’s contact information as part of their account on Facebook”.
Facebook says it uses this data so it can generate friend request recommendations.
The notification email — we’re embedding a copy of an email sent to one Facebook user below — echoes what Facebook’s security team said in a blog post about the data breach yesterday. It explains the scope of the bug and goes into the same level of technical detail as to how it happened. It also confirms which specific piece (or pieces) of personal data were exposed for that particular user.
In the below email, two pieces of data have been compromised (a phone number and an email address). In another sample letter sent to TechCrunch by a tipster the user has had six pieces of data compromised (one phone number and five email addresses). That user, Jeisson Neira, who works for IT company IQTHINK, said the breach is unlikely to make him change his behaviour towards Facebook — but only because he already takes care with the data he posts to the site.
“Given I tell my clients to trust and rely on the cloud, I don’t think I’ll change my behavior towards Facebook. My general stance on online security is that if I don’t want information of mine ever getting out, well then don’t post it in the first place. None of the things that could have possibly been exposed are that secret,” he told TechCrunch. “Having said that, I do have many high profile clients who would not be at all happy having their numbers and personal emails leaked and so it would be a completely different story if it was their account.”
Another tipster told TechCrunch she had one email address compromised but noted she cannot figure out how the email was even obtained by Facebook as it appears to be for a former work place, is no longer valid and was never directly associated by her with her account — suggesting Facebook is automatically harvesting contact data from other Facebook users and associating it with other accounts.
That sort of action, while creepy, would certainly help Facebook expand its network of contact information so it can generate new friend recommendations. We’re reaching out to Facebook to confirm how it gathers this data and will update this story with any response.
If Facebook is harvesting data on its users from other site users then not personally posting a piece of your contact information does not guarantee it won’t end up in Facebook’s databanks — and therefore be at risk of being exposed via this type of security breach — because Facebook might simply be harvesting your contact data from someone else you have corresponded with.
All three emails seen by TechCrunch state that the data was “inadvertently accessible by at most 1 Facebook user”.
The bug had apparently been live since last year, before being brought to Facebook’s attention last week. Its security team then fixed it within 24 hours of it being flagged, according to the social network.