Facebook leaks 6 million users’ contact information

Facebook has revealed that it inadvertently leaked the contact information of about six million of its users since last year.

The company revealed the nature of the leaks in a post on Facebook.com titled ‘Important Message from Facebook’s White Hat Program’.

According to the post, a bug in Facebook “may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.”

The post provided some explanation of the bug in question and how it led to the leaks.

“When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations,” the post read.

“For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook,” it went on.

“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook.”

This becomes a greater problem when combined with Facebook’s Download Your Information (DYI) tool, which allows users to download an archive of their data, including contact information, interests, timeline information, photos, videos, friend list, notes, sent and received messages, comments and more.

Thanks to the bug, people using the DYI tool may have been provided with additional email addresses or telephone numbers for their contacts, or “people with whom they have some connection”. According to the post, this contact information was provided by other people on Facebook and may not necessarily be accurate.

Exposure

Facebook said that about six million users had email addresses or telephone numbers shared.

There also other email addresses and telephone numbers included in the downloads, but these were not connected to any Facebook users, or names of individuals.

The company said that almost all of the email addresses and telephone numbers impacted were downloaded only once or twice. The company insists that “in almost all cases, an email address or telephone number was only exposed to one person.”

The post also said that “only people on Facebook - not developers or advertisers - have access to the DYI tool.”

Techcrunch reported that the bug has been live since last year, and was discovered the week of 10 June.

Facebook did not publicly acknowledge the bug until 22 June. According to a Facebook spokesman, the delay was due to company procedure that regulators and affected users should be notified before making a public announcement.

“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behaviour on the tool or site to suggest wrongdoing,” Facebook said.

The problem was brought to Facebook’s attention via its ‘White Hat’ program, which allows security researchers to submit bug reports to the company, potentially being rewarded a ‘bug bounty’. The rewards start at US$500 and have no upper limit - “each bug is awarded a bounty based on its severity and creativity,” the company’s site says.

After confirming the bug, Facebook “immediately” disabled the DYI tool, turning it back on the next day once it was satisfied the problem had been fixed.

The company has notified regulators in the US, Canada and Europe, and is notifying affected users via email.

Facebook also said it had paid a bounty to a bug-finding researcher “to thank him for his efforts.”