Facebook has revealed that a bug in its software could have exposed some personal information of more than six million of its users.
The social network giant said it received a report to its White Hat program (collaboration with external security researchers in order to weed out and fix problems) that identified a bug that could put the e-mail address and/or phone numbers of some of its users at risk.
The problem laid with the Download Your Information (DYI) tool and how Facebook uses some data to make friend recommendations. When people upload their contact lists or address books to Facebook, it tries to match that data with the contact information of other people on Facebook in order to generate friend recommendations. In this way, the service won't recommend that people invite certain contacts to Facebook if those contacts already have a Facebook account.
Due to the bug, some of the information used was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared," the company stated. "There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice."
Facebook has since disabled the DYI tool to fix the bug, and says there is no evidence that the bug was exploited maliciously.
The problem laid with the Download Your Information (DYI) tool and how Facebook uses some data to make friend recommendations. When people upload their contact lists or address books to Facebook, it tries to match that data with the contact information of other people on Facebook in order to generate friend recommendations. In this way, the service won't recommend that people invite certain contacts to Facebook if those contacts already have a Facebook account.
Due to the bug, some of the information used was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared," the company stated. "There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice."
Facebook has since disabled the DYI tool to fix the bug, and says there is no evidence that the bug was exploited maliciously.
Tags:
Facebook
