Facebook managed to leak out private contact data of millions of users

Jun 22, 2013 08:08 GMT  ·  By

Facebook has revealed that a bug in the way it handled contact data made it possible for private contact info to leak out via Facebook's data export tool. In total, about six million users had their email addresses or phone numbers exposed to other users.

The impact of the bug wasn't great, the info only reached one or two people, i.e. each of the email addresses that got leaked was only shared with one or two people, people who already had some contact data about the person with the email address or phone number.

In order to make friend recommendations or ask your contacts to join Facebook, the social network asks you to import contact data from other social networks, from your email account, or from your phone.

This data is supposed to be stored privately and separately from the main user data. This data isn't supposed to be shared with anyone at any point, it's only supposed to be used internally by Facebook to match people that may know each other.

Somehow though, this data did get attached to people's Facebook accounts. In some cases, contact data from friends, which wasn't shared with anyone, was included along with the legitimate data in the Download Your Information tool which, as the name suggests, enables users to export their information from Facebook.

Facebook was made aware of the bug after one security researcher notified the company via its White Hat program. The researcher won a bug bounty reward for the effort, but Facebook didn't provide any more details about his identity or the reward.

"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals," Facebook explained.

"For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice," it added.

"This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool," it said.

The company doesn't believe the bug was exploited in any way and has not received any complaints from users over it. Users affected by the bug are being notified via email. Likewise, Facebook has notified regulators in the US, Canada and Europe about the bug.