Facebook Security Bug Exposed Personal Account Information, Emails And Phone Numbers, Six Million Accounts Affected

A Facebook security bug exposed users’ personal contact information (email or phone number) to other users who were connected to them; the bug has affected 6 million accounts.

“When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations,” the security team wrote in a blog post published today.

“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook,” the post continued. “As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”

A Facebook spokesperson tells me the bug has been live since last year, and was discovered last week. Facebook says the security team fixed the bug less than 24 hours after it was brought to their attention.

The social giant says six million users had email addresses or phone numbers that were included in the downloads. Additionally, there were non-Facebook users’ email addresses and phone numbers included in the downloads from tools to invite contacts to join Facebook; a Facebook spokesperson tells me that this information wasn’t tied to any Facebook accounts and “wasn’t structured and wasn’t identifiable.”

Facebook says the bug has not been exploited maliciously, and the company is reaching out to the affected users.

“For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice,” the post said. “This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”