Facebook says that it is “upset and embarrassed” after six million users’ phone numbers and email addresses were accidentally shared with their online contacts.
The bug – which revealed the private information of other Facebook users when someone downloaded their own personal data onto their hard drive – existed for more than year, and was uncovered by the site’s White Hat Program, in which independent security experts are rewarded with bonuses for detecting network vulnerabilities.
Facebook disabled the Download Your Information tool, through which the data was obtained, for 24 hours last week without warning to fix the issue, before acknowledging the existence of the bug on Friday evening.
“We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook reassured users on its blog.
While some users in the comments section underneath applauded the network for voluntarily admitting the existence of the design flaw, others said that they had contacted legal counsel, dissatisfied with a mere apology (Facebook sent an email informing those affected that their account had been compromised).
The company – which has more than 1.1 billion users – says that the vast majority of the numbers and emails was shared with no more than one other person.
Facebook is one of a number of leading US tech companies in the spotlight after security expert Edward Snowden leaked documents that showed that it is a part of the National Security Agency’s (NSA) PRISM program, which collects extensive personal data from millions.
But the social network denies that the NSA has direct access to its servers, and says that it provided US authorities with personal data from 18-19,000 individual accounts in the second half of last year, each time after a substantiated request.
The company has said that it protects its members’ data “aggressively”.