Once again exacerbating concerns that social and mobile security mechanisms are insufficient to protect the personal information of millions of people, new reports indicate that a Facebook security bug in existence since last year helped to expose the contact information of six million Facebook users.
The company acknowledged the bug’s existence in a blog post, stating the error has existed on its servers since 2012 and has so far affected six million accounts.
The bug was found by independent researchers through the company’s White Hat program, exposing the personal contact information of certain accounts. According to a report by TechCrunch, email addresses and phone numbers could be viewed by people who had “had some contact information about that person or some connection to them.”
According to Facebook, the bug relates to the social network’s friend discovery process. The company mentioned the following in their post:
When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.
The bug caused some of the data used to connect with friends to be stored alongside a person’s contact information. By using the Download Your Information tool, people were granted access to a user’s private email addresses and phone numbers that would otherwise be hidden.
As we understand, the DYI tool has since been deactivated as Facebook flushes the bug from its system.
According to the latest details available, the bug has not been exploited maliciously, and Facebook is reaching out to the affected users.