Security research firm Packet Storm Security first discovered the bug, and they say that their data and Facebook’s data that they reported to users don’t quite match up. The researchers say that what Facebook told its users was much less than what the researchers found. They also said that the social network is hoarding non-user contact information.
This means that even if you don’t have a Facebook account, you most likely have friends that do, and if they have you in their contacts, this could mean that Facebook still has information on you, and it’s being exposed. Obviously, users are furious that their not-for-sharing phone numbers and email addresses are being collected by Facebook, and now accidentally shared.
These “shadow profiles” of non-Facebook users accidentally merged with user accounts in data history record requests, so when a user took advantage of the Download Your Information (DYI) tool on Facebook to get a record of their data history, they also got an address book with contacts that they had never provided to Facebook without their knowledge.
It’s a pretty sticky situation, and Facebook is essentially not telling the full story, according to Packet Storm. The security research firm insists that a lot more info than just six million users was exposed, but it seems the best thing to do now is delete your imported contacts from Facebook until the social network maybe finds a fix for the issue.