Social network giant Facebook said on Friday that a bug in its system had resulted in the accidental exposure of six million of its users' phone numbers and e-mail addresses to people with some or little information about them.
The information leaks, which began in 2012, resulted in Facebook users who downloaded contact data for their list of friends, obtaining additional information that they were not supposed to have.
Facebook's post about the bug attracted more than a thousand comments, with some calling for consequences and a fine to be paid. One user said she had been shown the information was made public, and it included four digits of her credit card number.
Another complained that the problem had not been fixed, while many asked for the name of the individual who had downloaded their information.
Please explain
Late on Friday evening, Facebook's White Hat Programme said that because of the bug, some of the information used to make friend recommendations and reduce the number of invitations Facebook sends was inadvertently stored in association with people's contact information as part of their account on Facebook.
"As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional e-mail addresses or telephone numbers for their contacts or people with whom they have some connection.
"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool," it says.
The programme notes that, after reviewing and confirming the bug, it disabled the tool and was able to turn it back on the next day once it was happy the problem was fixed. However, the glitch led to about six million Facebook users having e-mail addresses or phone numbers shared.
"There were other e-mail addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the e-mail addresses or telephone numbers impacted, each individual e-mail address or telephone number was only included in a download once or twice."
Facebook says this means, in almost all cases, an e-mail address or telephone number was only exposed to one person. In addition, no other types of personal or financial information were included and only people on Facebook - not developers or advertisers - have access to the DYI tool, the social network says.
The programme says the practical impact of this bug is likely to be minimal since any e-mail address or phone number that was shared was distributed to people who already had some of that contact information anyway. Yet, "it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again".
Facebook says: "Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure." It has notified regulators in the US, Canada and Europe, and is in the process of notifying affected users via e-mail.
The social network has already paid out a "big bounty" to the external security researcher who reported the problem to its programme.
Govt and user info
Earlier this month, Facebook struck an agreement with the US government to release limited information about the number of surveillance requests it receives.
Facebook's general counsel, Ted Ullyot, said in a blog post that it had received between 9 000 and 10 000 US requests for user data in the second half of 2012, covering 18 000 to 19 000 of its users' accounts. Facebook has more than 1.1 billion users worldwide.
"This means that a tiny fraction of one percent of our user accounts were the subject of any kind of US state, local, or federal US government request (including criminal and national security-related requests) in the past six months," Ullyot added.
The majority of those requests were routine police inquiries, a person familiar with the company told Reuters, but under the terms of the deal with Justice Department, Facebook is precluded from saying how many were secret orders issued under the Foreign Intelligence Surveillance Act (FISA).
Until now, all information about requests under FISA, including their existence, were deemed secret.
User safety
Facebook also reiterated on its blog that it "aggressively" protects its users' data when confronted with such requests.
"We frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law," Ullyot said.
Ullyot added that Facebook would continue to be vigilant in protecting its users' data from unwarranted government requests, "and we will continue to push all governments to be as transparent as possible".
Share