This afternoon, Facebook has made one of those announcements a company never really wants to have to make: they’ve had a rather unfortunate bug problem. The big problem here was, as Facebook notes, that their most recent method for recommending friends to new users also contained contact information of users – this including information added to Facebook by the users, mind you, nothing deeper than that.
This sort of thing doesn’t necessarily affect the everyday Facebook citizen, and it’s not as if you’ll be needing to change your address or credit card number any time soon (unless you store those sorts of things in your Facebook account, for whatever reason). Instead this breach was discovered by the Facebook security team and fixed the situation by disabling their “download-your-information” tool.
“We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.” – Facebook
So no developers and no advertising agencies were able to see this information, but basically any Facebook user could. Does that keep your worries at bay?
Note also that the DYI tool was turned back on no long after it’d been shut down for a short period. No worries, continue with the downloading!
“After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.” -Facebook
Facebook’s message includes a note that suggests that they are “in the process of notifying affected users via email.” They’ve also been clear that the user that found the security breach made the report to their White Hat program which in turn paid out a “bug bounty” as a reward. Remember that kids – find the breaks in the internet and ye shall be handsomely rewarded!