Today, Facebook announced that it has accidentally shared contact information of 6 million users due to a software bug. This was caused by two features of Facebook – “People you may know” and “Download your Information.” After getting information about this bug from a researcher, Facebook deactivated DYI tool to fix the problem. Now the bug has been fixed and tool is back.
When a user download their Facebook archive via DYI tool, archive include contact information of their friends. Due to this bug, archive also included second tier connections you may know (Based on People You May know recommendation).
“Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook,” Company explained.
“Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool,” It added.
Facebook says that it is notifying government regulators about the problem. It will also send email to all affected Facebook users. Facebook also noted that it has no evidence that the bug was maliciously exploited before it was found and fixed.