Facebook has admitted to a security breach which exposed details such as emails and phone numbers for six million site users.
The “bug” was found by a researcher working for the social network’s White Hat program, where security researchers are paid “bug bounties” of $500 and up for finding bugs.
“We recently received a report to our White Hat program regarding a bug that may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them,” Facebook said in a blog post.
The company admitted that it was “upset and embarrassed” in its blog post. The bug allowed people to see information such as email addresses and phone numbers for either contacts or people with whom they had some connection on the network.
Facebook says that it has “no evidence” that the bug was used maliciously, nor any evidence of “anomalous behavior on the tool or site to suggest wrongdoing”.
“When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations,” the company said. “Because of the bug, some of the information used to make friend recommendations was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.”
Facebook engineers immediately disabled the tool and restored it within 24 hours.