Facebook today revealed that a bug last month set some users’ suggested privacy settings for posts to public. The company estimates that 14 million users were affected, and is notifying users of the bug starting today.
In the status update box at the top of a user’s News Feed, they have the option to select who they would like to share their post with — “public,” “friends,” or “friends except for.” Even if a user had set their default sharing option to “friends,” the bug changed the setting for affected users to “public.” That means if an eagle-eyed user didn’t catch the bug, they likely shared some status updates publicly on Facebook that they meant to share only with friends.
The bug affected posts shared between May 18 and May 27, though Facebook started rolling out a fix on May 22. A statement attributed to Facebook chief privacy officer Erin Egan read, “we recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before — and they could still choose their audience just as they always have. We’d like to apologize for this mistake.”
According to TechCrunch, the bug was caused by a new tool Facebook is building called featured items, which “highlights photos and other content [on a user’s profile]. These featured items are publicly visible, but Facebook inadvertently extended that setting to all new posts from those users.”
Considering that Facebook has nearly 2.2 billion users worldwide, the number of affected users is small. And while the bug was only in effect for a few days, it’s an example of how many different settings users have to be aware of on Facebook. If they don’t check to make sure that they have the correct settings before hitting “post,” they may be sharing sensitive information with users they didn’t intend to.
The tweet below shows the notification users will be receiving. Facebook will also flag for the user which posts they shared between May 18 and May 27, and will show them what the privacy setting was on that post. That way, users can reset a post that was inadvertently set to public back to being shared just with friends if they would like.
This is the alert Facebook is showing to 14 million users affected by its latest privacy screw-up pic.twitter.com/Az5kxM1Mfn
— Matt Navarra (@MattNavarra) June 7, 2018
VentureBeat has reached out to Facebook for more information about who may have been affected and will update this story if we hear back.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here