According to the latest revelations of Facebook, a technical bug was inadvertently sharing the contact information of its users since last year. So far approximately 6 million Facebook user’s personal information has been compromised with this technical bug. However, as per the company the information in those cases was shared only to 1 person who is already known to the affected user, outside his/her Facebook circle.
Facebook has a White Hat program running to collaborate with external security researchers which helps the company in maintaining the highest security standards for its users. A recent report from its White Hat program stated that the bug may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some other connection to them.
When people upload their contact lists or address books on Facebook, it tries to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations it sents was inadvertently stored in association with people’s contact information as part of their account on Facebook.
When people went to download an archive of their Facebook account through Download Your Information (DYI) tool, they may provide with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
“After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed,” stated the blog post. As per Facebook, the bug has been live since last year, but they discovered it just last week.
Approximately 6 million Facebook users had email addresses or telephone numbers shared and in almost all cases, an email address or telephone number was only exposed to one person. Facebook claims other than these no other type of personal or financial information were included and only people on Facebook had access to the DYI tool not developers or advertisers.
It has already notified its regulators in the US, Canada and Europe, and users affected should be receiving an email from Facebook.