Facebook today reported its most significant exposure of user data to date, saying that partial or complete contact information belonging to 6 million users was inadvertently downloaded by other Facebook users who had some connection to them.
“Although the practical impact of this bug is likely to be minimal since … it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again,” the company said in statement released Friday afternoon to its security page.
While users’ information was only revealed to other users, not to cybercriminals, the bug does shine a light on the potential risks of sharing personal information online, particularly in the wake of revelations that major Web companies also shared user metadata with government surveillance programs.
“This should be a reminder to Facebook users that the uploading of personal information to any type of social network or online consumer technology or service is a risk, and they should do all they can to protect themselves as situations like what happened at Facebook could happen again,” said Brian Blau, the director of research at Gartner.
Facebook first became aware of the bug through its White Hat program, which pays security researchers a bounty for discovering potential exploits.
Facebook uses contact information — email addresses and phone numbers — to provide lists users a member can invite to join the social network or to join his or her social graph within it. It does so by matching the information the user provides with information it has on other users. The bug caused the contact information Facebook held about a user’s potential social contacts to be stored alongside their activity on the network. Users would therefore get the information if they downloaded their own information from Facebook, using the Download Your Information tool, which was designed to give users more insight into what information the social network had about them.
According to the company, there have been no reports of the disclosed contact information being used for malicious purposes. Facebook says it has reported the issue to regulators in the U.S., Europe and Canada is notifying affected users by email.