Due to the bug, information that Facebook normally uses to recommend friends, including emails and phone number, was included in their own contact details. So whenever users downloaded an archive of their Facebook account through the Download Your Information (DYI) tool, they also downloaded these emails and phone numbers, regardless of whether their friends had made the details publicly available.
Facebook was alerted to the bug by its White Hat program, which encourages developers to report vulnerabilities on the site for a monetary reward. The site immediately disabled the tool and brought it back online the following day.
“There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals,” the company explained on the Facebook Security page.
The company stressed that it has no evidence that any of the contact information inadvertently shared through the bug was maliciously exploited and it believes that the bug’s impact was minimal.
“Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure,” Facebook said.
Facebook said that it has notified regulators in the U.S., Canada, and Europe, and the company is in the process of contacting the affected users by email.
It’s not the first privacy scare for Facebook users this year. In January, a bug in the popular curation tool Storify allowed users to publish any status update shared by their friends on Facebook, whether they were private or not. Earlier this month, critics alleged that Facebook’s new Swedish data center allowed for unfettered snooping on user data, thanks to a law permitting the government to listen in on any data that passes its borders.
Illustration by Jason Reed