A Facebook bug in the company’s Download Your Information (DYI) tool has recently revealed more than it intended when a bug led it to leak the contact information of approximately six million users.
In an Facebook advisory posted on Friday, the company’s security team explained that the code the social network uses to make friend recommendations inadvertently caused the email addresses and phone numbers of potential contacts to be associated with other users’ account data. If those users then used the Download Your Information tool the incorrectly added contact information would be included in the download, whether the users were actually friends with the owners of the addresses or not. In all, the security team at Facebook has come to the conclusion that the addresses or phone numbers of approximately six million Facebook users were leaked in this way – that is the equivalent of about 0.54 per cent of the social network’s global user base.
The bug was first brought to Facebook’s attention by an independent security researcher, whom the social networking site’s security staff say has already been paid a bug bounty for his efforts. In addition, Facebook has notified its regulators in the US, Canada, and Europe of the incident and is in the process of notifying affected users via email.
Facebook’s White Hat staff wrote: “After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.”
Facebook‘s security staff have determined that each individual email address or phone number was typically only included in a download once or twice, meaning it was only leaked to one person. In addition to this, Facebook have assured that only the other people could have had access to the data, as opposed to advertisers or developers and no other financial or personal information was disclosed. Although the social network has downplayed the severity of the leak and it doubts that the bug was ever exploited for malicious purposes, it’s still sheepish about the incident.
The White hat Team responded, “It’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again…Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.”
That being said, does that make you feel safe and secure?
[Image via newsit]