A bug in Facebook’s data archive has inadvertently exposed personal details of about six million users.
The bug meant email and telephone numbers were accidentally shared with people that would not otherwise have had access to the information.
So far, there was no evidence the data exposed was being exploited for malicious ends, said Facebook.
It said it was “upset and embarrassed” by the bug, which was found by a programmer outside the company.
The data exposure came about because of the way that Facebook handled contact lists and address books uploaded to the social network, it said in a security advisory.
Typically, it said, it analyzed the names and contact details on those lists so it could make friend recommendations and put people in touch with those they knew.
The bug meant some of the information Facebook generated during that checking process was stored alongside the uploaded contact lists and address books.
That meant, said Facebook, that when someone had downloaded their profile this extra data had travelled with it, letting people see contact details that had not been explicitly shared with them.
An investigation into the bug showed that contact details for about six million people were inadvertently shared in this way. Despite this, Facebook said the “practical impact” had been small because information was most likely to have been shared with people who already knew the affected individuals.
The bug had now been fixed, it added.
Facebook was alerted to the bug by a member of its “White Hat” program who checks the site’s code for glitches and other loopholes. A bounty for the bug has been paid to the programmer who found it.
Security analyst Graham Cluley criticized Facebook’s release of the information just before the weekend and said the disclosure had been more about “damage limitation” than making sure the information reached as wide an audience as possible.