Facebook reveals security bug exposed personal info of 6m users

22 Jun 2013

The personal account information including emails and phone numbers of 6m Facebook users were exposed by a security bug, the social network admitted last night.

The bug was discovered through a White Hat programme that Facebook uses, involving external hackers, to test its own security. This involves ethical hackers or White Hats attacking the network to discover weaknesses.

“We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them,” Facebook security said in a post last night.

“Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook. 

“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook.

“As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.”

The security team said that once the bug was discovered it immediately disabled the DYI tool to fix the problem and once satisfied they switched it back on.

User data did not fall into the wrong hands, Facebook says

“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared,” the security team said. “There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals.

“For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrong doing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again.

“Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure. We have already notified our regulators in the US, Canada and Europe, and we are in the process of notifying affected users via email,” Facebook said.

Social network image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com