Facebook, today admitted that contact information of approximately 6 million users was leaked due to a bug penetrating its DYI (Download your information) tool. The social media giant said that the bug could have disclosed email addresses or telephone numbers to unauthorized viewers over the past 1 year.
Through an advisory note published today, Facebook said it recently received a report as part of its White Hat program highlighting the discovery of this bug.
Through Facebook security notes, Facebook revealed:
“If a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed”.
Explaining the bug, Facebook said that when people upload their contact lists or address books in Facebook, Facebook tries to match that data with the contact information of other people on Facebook in order to generate friend recommendations.
Because of this bug, some of the information used to make friend recommendations and reduce the number of invitations Facebook send was unconsciously stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
Terming the recent bug development as embarrassing, Facebook said that it is working hard to ensure that this security lapse doesn’t surface again in the future. As part of its security measure, Facebook is contacting affected people via email.
As users, did you notice something suspicious with your Facebook account? Do share your experiences.
