Facebook : Security Bug Revealed 6 Million Users’ Info

On Friday, Facebook admitted that a bug made the private contact information — either email addresses or phone numbers — of 6 million users accidentally accessible to Facebookers who downloaded their account histories onto their own computers.Compared to Facebook’s over 1 billion total members, 6 million isn’t much. But any security flaw has the potential to frighten people away from a website.

The breach was caused by an unfortunate combination of Facebook’s “People You May Know” and “Download Your Information” features. “People You May Know” offers friend suggestions based in part on other users’ uploaded contact lists or address books; “Download Your Information” offers a downloadable version of your Facebook Timeline archive.

When some users downloaded their Facebook archives with “Download Your Information,” the archive included contact information for second-tier connections with whom Facebook thought those users might want to connect but who hadn’t yet received or approved a friend request from that user.

Facebook said the security bug did not reveal other personal or financial data and that only people on Facebook – not developers or advertisers – accessed the DYI tool. Therefore, the bug was not exploited maliciously. 

“For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice,” Facebook clarified. “This means, in almost all cases, an email address or telephone number was only exposed to one person.”

Facebook said it reviewed and confirmed the security bug, and therefore immediately disabled the DYI tool to fix the problem. The tool is now back online, however, because the problem has been resolved.

The bug was found not by Facebook’s team, but by someone going through Facebook’s “white hat” hacker program, which offers a bounty for anyone who can find bugs on the site, paying a minimum reward of $500 per bug.