Late last week, a bug caused a bit of chaos for Facebook’s privacy team. A security bug was introduced into the Facebook environment that exposed user emails and phone numbers to a limited number of people. Six million users were exposed to the bug, and in most cases, this data was likely exposed to one person.
The bug came via the download your information (DYI) and gave some users additional information of their friends. Here’s Facebook’s description of what happened:
We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.
TechCrunch covered an interesting angle on the bug as they picked up on the “creepiness” of the bug’s origination. According to the message from Facebook they stated “we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations.” This means that Facebook uses other people’s data and connections to make recommendations for you.
As of right now the bug wasn’t found to be malicious and has been contained, according to Facebook:
We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again.
For more information see the official Facebook message on the bug.