Facebook published a blog post on Friday afternoon explaining a security glitch that caused the email addresses or phone numbers of about 6 million users be unintentionally shared. The glitch arose as part of Facebook’s efforts to make suggestions on who you might want to add as a Facebook friend.
Facebook wrote that the contact information for those affected could have been shared with “their contacts or people with whom they have some connection.”
The company explained the error in detail in the blog post, explaining how that data came to be shared and how the data was used:
“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”
The company explained that it learned of the error through a report in its White Hat program where it rewards external researchers who discover flaws in Facebook’s system.
Facebook wrote in the blog post that the error “allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.”
Essentially, in order to make better recommendations on who you should connect with on Facebook, the company stored email addresses or phone numbers of users you might know along with information about your own account. So users who went to download their own information might have downloaded the information about other people as well. Facebook reports that no other types of data were shared, and this information was not accessible to developers or advertisers.
The news comes just two weeks after reports of Facebook’s involvement in the government spying program called PRISM, and reports that the company agreed to help with government efforts. Facebook has since lobbied the government to allow it more latitude in providing information publicly about government requests for data.