Facebook exposes up to 6 million users information in data bungle

Social media giant Facebook has come out and said that it may have inadvertently exposed the contact details of 6 millions users through a technical glitch. Facebook released the details of the glitch and how they fixed it in a security press release and called for calm.  I’ll link the full release below but I’ve highlighted some parts that I found interesting and important.

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.


Scarily ZDnet has pointed to evidence showing the glitch was active for 12 months at least and that the information that was leaked with combining shadow profiles (information on people not on Facebook) with real world contact information harvested from friends (such as when you synced contacts with the Facebook app on your phone).

There is a lot of anger online about this as it is another privacy abuse perpetrated by Facebook that has stripped away a lot of the protections that people have taken to safeguard their information. Here’s the link to the ZDnet article and find below some highlights that I found interesting.

According to Reuters, the data leak spanned a year beginning in 2012.The personal information leaked by the bug is information that had not been given to Facebook by the users – it is data Facebook has been compiling on its users behind closed doors, without their consent.

A growing number of Facebook users are furious and demand to know who saw private information they had expressly notgiven to Facebook.

Facebook was accidentally combining user’s shadow profiles with their Facebook profiles and spitting the merged information out in one big clump to people they ‘had some connection to’ who downloaded an archive of their account with Facebook’s Download Your Information (DYI) tool.

The action of the bug is that if a user downloaded their own Facebook history, that user would also download email addresses and phone numbers of their friends that other people had in their address books, without their friends ever knowing Facebook had gathered and stored that information.

This data is being gathered by Facebook about individuals through their friends’ information about them – harvested when a user grants Facebook address book or contact list access.

We can all take away a lesson from this to check what information we are sharing and with who.Remember, If you’re not paying for it, chances are you’re the product!

Let me know what you think about this latest leak and what measures you take to be safe online… Until next time, happy reading!

Leave a Reply

Your email address will not be published. Required fields are marked *