Facebook has admitted that it exposed six million users' private phone numbers and email addresses to unauthorised viewers over the last year.
The social media network blamed a technical bug for the data breach, which has resulted in Facebook users who downloaded an archive of their Facebook account through the "Download Your Information" (DYI) tool to have access to additional addresses or telephone numbers of their contacts or others who they have a connection with.
Facebook, which has 1.1 billion users worldwide, said that it took 24 hours to fix the problem, but it only publicly acknowledged the bug on Friday afternoon, when it published an "Important Message from Facebook's White Hat Program".
In the message, Facebook said that when people upload their contact lists or address books to Facebook, it matches that data with contact information of other people on Facebook.
So for example, if ‘Keith' has added that his additional e-mail address is ‘[email protected]'. Irene joins Facebook and decides to let Facebook have access to her contact lists which includes a Keith with an e-mail address of ‘[email protected]' and a phone number.
After matching the data, Facebook suggests that Irene connects with Keith on Facebook. Then Tim joins Facebook and lets the social network use his contact list which identifies a Keith Smith, who lives in South Dakota, and works for Building Company Limited, and has an e-mail address of ‘[email protected]'.
While this works in matching people to friends that they may have wanted to connect to, the bug meant that if, for example, Irene uses the DYI tool on Facebook, she could get back information on Keith's address and workplace, which she didn't have before - information that Keith himself has not allowed Facebook to access.
Facebook disabled the DYI tool to fix the problem. It said that in almost all cases, an email address or telephone number was exposed to only one person, and that no other personal or financial information were included.
It reassured users that developers or advertisers did not - and do not - have access to the DYI tool, before adding that it "currently has no evidence that this bug has been exploited maliciously, and has not received complaints from users or seen anomalous behaviour on the tool or site to suggest wrongdoing".
The social media company said that the bug was "something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again".