Yesterday, Facebook Security posted a note about a recent bug that was discovered by their White Hat program that could have compromised the contact information of up to 6,000,000 users.
According to the note, “a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.”
Facebook went on to say that describing how the bug worked was pretty technical but it’s related to the contact list / address book upload feature on the platform. Facebook basically made a boo boo on matching up personal data and connections.
When people used the DYI (Download Your Information) tool, it’s possible that they also received additional email addresses and phone numbers for their contacts and even people with whom that they have no connection. The good news is that developers and advertisers do not have access to this tool.
Facebook assured users that they have found no evidence of this bug being used maliciously and that affected user information was likely shared with only one person. Facebook immediately disabled the DYI tool and squashed the bug within a day.
Facebook concluded the note by apologizing and stating that they will work even harder to make sure something like this doesn’t happen in the future.