Really … another security breach? We thought Facebook would have things all figured out after it once mislabeled “phone number” as “email address”, confusing a lot of people and app developers in the process. But the major mishap of unwittingly unleashing users’ phone numbers into the Internet wild has happened yet again: Facebook just announced that a bug may have unveiled personal information provided by over 6 million Facebook users.
The bug reportedly caused some of the information usually sent by Facebook to make contact suggestions and lessen the number of friend invites – like the user’s phone number or email address – to be accidentally stored as part of the user’s public contact details. As a result, if a person decided to use the Download Your Information (DYI) tool to access a full archive of their Facebook account, it would include all the emails and phone numbers of all their friends, whether they intended to share it or not.
The social networking site was made aware of the security bug by its own White Hat program, an initiative that financially rewards developers who successfully report weaknesses in the Facebook system. Facebook temporarily took the tool down and put it back online a day after the bug was initially reported. “There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals,” Facebook assured users on its official Security page. “For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person.”
Facebook ended their notice with the assertion that no evidence has been found proving that the vulnerable information was used in a malicious manner and that no user has filed a complaint for unusual account activity. The company tried to lessen the blow a tiny bit by noting that the bug’s effect is probably negligible, since the people who likely received their friends’ personal information could have already had access to the contact info in the first place. Nonetheless, Facebook was right to apologize to the public and promised to “work doubly hard to make sure nothing like this happens again.”
Facebook is currently in the process of notifying the 6 million individuals who were affected by the breach via email.