Facebook said Friday that contact information for as many as 6 million of its users may have been exposed through a bug recently reported to the company’s security team.
In a company blog post written by Facebook’s security team, the social network said that the flaw allowed some people to see users’ e-mail addresses or phone numbers without permission.
“When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations,” the company said in the post. “Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook.”
This additional contact information was then inadvertently included when users downloaded archives of their own Facebook information.
In almost all cases, the company said, an e-mail address or phone number was only exposed to one person. No other personal or financial information was included, and the firm said that developers and advertisers that use Facebook were not able to see in information.
The social network said that it does not believe the bug has been exploited for malicious purposes and that it hasn’t received any complaints from customers about the problem. The firm also said that it has notified regulators in the U.S., Canada and Europe about the breach.
The bug was found and reported by a security research using Facebook’s “White Hat” program, which pays individuals for finding security problems on its site.
(Washington Post Co. chairman and chief executive Donald E. Graham is a member of Facebook’s board of directors.)