Security

Facebook admits bug exposed phone numbers & emails from 6M accounts

Facebook revealed a bug today that allowed people to download contact information for their friends, which, well, wasn’t actually supplied by their friends. The bug seems to have affected over six million users thus far.

Facebook stores the contact information that you provide when you use the “Find Friends” tool. The Find Friends tool looks at your contact lists from your e-mail, Skype, iCloud, and other accounts and then suggests friends for you to add. The company says it helps them reduce the number of invitations that are sent out to people they hope will join Facebook.

But the bug took contact information that was not supplied by the user and storied it alongside their profile. The bug is a little confusing, so let’s use an example to explain it. Joan is a user on Facebook. Joan adds her school e-mail address, joan@imadethisup.edu, to her public contact information.

Michael is a real-life friend of Joan’s. He is bummed he only has 100 friends (I mean, like, you’re a nobody if you have under 600), so he uses the Find Friends tool and gives Facebook access to his Gmail contact list. He happens to have two e-mail addresses for Joan in there: joan@imadethisup.edu and joan@thisisweird.com. Facebook then associates joan@thisisweird.com with Joan’s Facebook account, even though she didn’t upload that contact information.

Then a third friend, Tim, who is already friends with Joan, decides to download his information. This bug swept up not only the information that Joan provided to Facebook (joan@imadethisup.edu), but also the information that Michael supplied (joan@thisisweird.com).

This could also go for phone numbers (let’s say Michael has both Joan’s .edu e-mail address and her cell phone number), so you can see how this might get uncomfortable.

Facebook says that the bug has been patched and is notifying those users who were affected.

Mark Zuckerberg goat picture via Facebook