Facebook is alerting 6 million of its users that their e-mails or phone numbers were inadvertently shared with other members.
The social network said Friday that it has discovered and patched a bug in its "Download Your Information" tool that unintentionally exposed some members' contact details. The bug was reported earlier this month through the company's White Hat program, which rewards security researchers for reporting vulnerabilities. The bug was fixed within 24 hours, a company spokesperson told CNET.
"It's ... something we're upset and embarrassed by," Facebook said in a note published to its security blog. "We'll work doubly hard to make sure nothing like this happens again."
The glitch itself is a bit difficult to explain, but essentially if you chose to download a copy of your data, your Facebook archive may have included the phone number or e-mail address of a person who you are connected to but did not have those particular contact details for. The extra information was provided because of a hiccup during the friend recommendation process.
Facebook explained the situation security blog with the following description:
When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don't want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead we want to recommend that they invite those contacts to be their friends on Facebook.
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DIY) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
Facebook said that it has no knowledge of the bug being used maliciously and that it has not received any complaints from users. Still, the company has notified regulators in the U.S., Canada, and Europe of the matter. Affected members will receive an e-mail that provides insight around their contact information that was shared and the number of people it was showed to, the spokesperson said.
As far as privacy blunders go, this one is rather benign. The exposed contact information was only shared with parties who already had some type of contact information on the person. But privacy advocates may use the gaffe as another reason to rail against the social network, affected parties could file lawsuits, and the Federal Trade Commission, an agency that has had run-ins with Facebook in the past, may want to investigate further.