Facebook has admitted that a bug caused the phone numbers and email addresses of six million users to be shared unintentionally.
The number of UK users affected by the bug is believed to be around 200,000 according to the Telegraph.
But Facebook said in a blog post that in almost all cases, an email address or telephone number was exposed to only one person and that no other types of personal or financial information were included.
The social networking firm said that the bug, which was fixed within a day of being reported, caused some of the information used to make friend recommendations to be stored inadvertently in association with people’s contact information as part of their account on Facebook.
“As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection,” Facebook said.
According to Facebook, there is no evidence that this bug has been exploited maliciously and there have been no complaints from users or anomalous behavior on the tool or site to suggest wrongdoing.
Although the practical impact of this bug is likely to be minimal, Facebook said it was “upset and embarrassed” and would work “doubly hard” to make sure nothing like this happens again.
Read more about responsible disclosure
- Google sets seven-day deadline for zero-day disclosure
- Suppliers need to prepare for new security vulnerability handling standards
- Dutch government publishes security flaw disclosure guide
- Microsoft seeks true 'responsible' vulnerability disclosure
- Incident non-disclosure amounts to hiding facts from shareholders
- Is a full vulnerability disclosure strategy a responsible approach?
Facebook said it had notified regulators in the US, Canada and Europe, and it was in the process of notifying affected users by email.
The bug was reported by a security researcher participating in Facebook’s White Hat program. The company said he had received a bug bounty for his report.
The bug bounty initiative was set up by Facebook to collaborate with external security researchers. Similar bug bounty initiatives are run by Google and Paypal.
Although Microsoft has long held out from offering a bug bounty, it has gone a step further by offering up to $100,000 for “truly novel” exploitation techniques against protections built into Windows 8.
“Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of capturing one vulnerability at a time as a traditional bug bounty alone would,” the firm said in a blog post.