Approximately 6 million users affected; no evidence of malicious exploits of the bug
Facebook's security team made a post today to let users know of a bug that was discovered and fixed that has revealed some user's contact information to "friends" they did not intend to share with. The bug, which was pointed out to Facebook's White Hat Program by an independent entity, involved the combination of users uploading their contacts lists to find connections on Facebook, and the service's Download Your Information (DYI) tool. When users upload their contacts list to the site, Facebook analyzes it to recommend friends that you do not already have connections with, matching up phone numbers and email addresses to keep from offering duplicate contacts. When going through this analysis, Facebook inadvertently stored this personal information with user's profiles, allowing it to then be given to other users who downloaded their data with the DYI tool.
The end result, Facebook says, is that approximately 6 million Facebook users possibly had their phone numbers or email addresses made available to people who used the DYI tool to download their own (and therefore friends publicly available) Facebook data. For a vast majority of the users who had their data inappropriately shared, Facebook claims each individual address or number was only downloaded with the DYI tool once or twice. No other types of personal information was made available, and the DYI tool was not used by developers or advertisers, just individual users.
Facebook also claims that it is not aware of any malicious or focused attacks that took advantage of this bug while it existed. For the short term, Facebook disabled its DYI data export tool until the bug was fixed, turning it on the next day to resume normal activity. This was a fluke accident that was luckily not exploited further, but now may be a good time to go ahead and check your Facebook privacy settings to make sure you're not also inadvertently sharing anything else.
- Filed under: