Facebook took to their security page to apologise again today, after the site admitted a bug had “inadvertently” exposed the personal information of six million users.
The site said they were “upset and embarrassed” in a blog post when their White Hat security program detected the bug after it had already affected millions of user accounts.
Although “describing what caused the bug can get pretty technical”, the company said they wanted to explain exactly what happened, to stress that “the practical impact of this bug is likely to be minimal”.
Facebook explained that anyone attempting to download archive profile information using the Download Your Information (DYI) tool may have been provided with the email or telephone numbers of people who they shared connections with on the site. The email addresses and telephone numbers of an estimated six million people affected were given out to other users “once or twice”.
“This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool," they said.
“After review and confirmation of the bug by our security team, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed.”
Facebook reassured users that in “almost all cases”, each email address or telephone number was only exposed to one person. “Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.”
They added that they had received no information to suggest the bug was malicious or that any complaints had been made from users who had noticed “anomalous behaviour” or “wrongdoing”.
The problem has since been rectified and Facebook have made regulators in the US, Canada and Europe aware. They are now in the process of notifying those affected.