According to a post on Facebook’s security blog, a bug in the company’s friend recommendation system exposed the contact information of some six million users to others. The bug has been present for about a year, but the company only found out about it in the last 24 hours.
The affected users will be notified by email. The company says there’s no evidence the bug was exploited maliciously.
The bug exists in the Facebook system that tries to match the contact info of people you know with the contact information of user accounts on Facebook. You’ve probably used a tool like this on Facebook or some other service: upload your email address book and Facebook will try to match you up with people you know.
Unfortunately, some of the information used to make friend recommendations was recorded in data archives, and if you used the Download Your Information tool, you might have found email addresses or phone numbers for people with which you have some kind of connection.
As the post on Facebook describes:
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
The bug was reported using the company’s White Hat program for external security researchers. Facebook has disabled the download tool.