Facebook is alerting its users that a bug may have inadvertently exposed the email addresses and telephone numbers of roughly 6 million users.
The company said the bug affected the “Download Your Information” tool – which users can activate to download an archive of their Facebook account.
The bug may have provided users who activated the tool with the contact details of people with whom they have some sort of connection on the social network, the company said.
The extra contact details would be provided during Facebook’s friend recommendation process.
In a note written on Friday, the company explained the glitch.
“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook,” the company said in a blog post. “As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”
The company said that the contact information was not necessarily accurate because it was provided by other people on Facebook.
It also said that nearly all of the email addresses or telephone numbers that were shared were only included in a download “once or twice.”
“This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook -- not developers or advertisers -- have access to the DYI tool,” the company said.
Facebook said after being notified of the bug, it immediately disabled the DYI tool and fixed the problem. The tool was reactivated the next day.
The company said so far it has no evidence to believe the bug was exploited and has not received complaints from users. It is in the process of notifying affected users.
It also said that despite its belief that the impact of the bug is likely to be “minimal,” it’s something the company takes seriously.
“It’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” said the company.
The bug was pointed out to Facebook through its White Hat Program, which rewards researchers for reporting any security concerns.