Facebook recently revealed that the personal information of more than 6 million of its users might have been exposed by a security bug. According to the security firm that helped expose the bug, the data breach is bigger than reported, and may even affect people who don’t use Facebook at all.

On Friday, the company announced that a bug in its Download Your Information (DIY) tool inadvertently gave anyone who used it the contact information of their friends, even if said friends never made certain data public.  

The data leak revealed the existence of so-called “shadow profiles”—dossiers on each user that include information their friends inadvertently share about them by, for example, letting Facebook access a smartphone address book.

"Facebook: Where your friends are your worst enemies," noted Packet Storm Security, the firm that assisted in uncovering the bug.

Facebook sent an email to those affected explaining what had happened, what bit of information about them was accidentally disclosed, and how many people had access to it. Since Packet Storm Security helped expose the vulnerability, they had test data that could be used to determine whether Facebook was being completely forthcoming with its affected users. And apparently, it wasn’t.

"We compared Facebook email notification data to our test case data," they wrote on their blog.

"In one case, they stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed. It would seem clear that they did not enumerate through datasets to get an accurate total of the disclosure."

Even worse, because the data revealed via the DIY tool came from contact information uploaded by its users, it's almost a certainty that data belonging to non-Facebook users was also disclosed. 

The implication is that even people who don’t use Facebook may have shadow profiles, based on information gathered from their Facebook-using friends.

When Packet Storm Security asked the social network giant whether they were notifying those individuals of the leak, Facebook said no. 

"Facebook felt that if they attempted to contact non-users, it would lead to more information disclosure," the blog post noted. 

The Daily Dot reached out to Facebook for comment, but a company representative simply referred to us to the company’s Friday post.

Photo via Steven Mileham/Flickr