About 6 million Facebook users shared more personal information than they planned thanks to a bug in the social networking service's database system. The flaw was discovered at the end of last week and had been exposing the email addresses and phone numbers of users.
Oops: Facebook exposes private email address and phone numbers
The company said in a statement,
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.
The bug was discovered through Facebook's White Hat program which includes security people from outside the company who are searching for problems like this one. Facebook disabled the DYI tool once it knew about the problem, then brought it back online over the weekend after the bug had been fixed.
According to Facebook, the practical impact of the privacy bug is fairly limited because the people most likely to see the extra information "already had some of that contact information anyway, or who had some connection to one another."
Facebook said it has notified the proper regulatory agencies in the United States, Canada and Europe and is currently notifying affected users through email.