Facebook bug exposed personal data of six million accounts

To ease fears, Facebook's security team listed off a number of points defending that this problem has been contained.
Written by Rachel King, Contributor

Just a day after celebrating video coming to Instagram with pomp and circumstance, Facebook was much more serious on Friday regarding a major security malfunction.

Facebook reps wrote in a memo that an external security researcher part of its's White Hat program discovered "a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them."

See also:
Facebook's strategy: Buy the best, copy the rest?

Turns out that bug opened up access to the email addresses and phone numbers of approximately six million Facebook members.

For reference, Facebook is the world's largest social network with more than a billion members globally.

Here's an excerpt from Facebook's official statement:

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

The Menlo Park, Calif.-headquartered company listed off a number of points defending that this problem has been contained.

For starters, the security team was said to have immediately shut down the downloading tool and fixed the problem by the following day. Additionally, Facebook said that "in almost all cases," the contact information was only exposed to one other person.

Perhaps most importantly, no other types of more sensitive personal or financial data was affected by the security breach.

To put all fears to rest as much as possible, Facebook asserted that it hasn't found any evidence that the bug was actually exploited maliciously.

For now, Facebook is taking steps to notify affected users via email as well as regulators across North America and Europe.

Editorial standards