Facebook announced that as many as 6 million accounts had been vulnerable to a security glitch that exposed personal contact information, including email addresses and phone numbers. The software bug was discovered last week and the company said it dates back to last year.
Facebook said, Friday, the glitch was already fixed and that despite the length of time it was live on Facebook, it did not appear anyone had used it maliciously. Still, the company said it was "upset and embarrassed" over the security flaw and was in the process of notifying users by email.
"Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook," said the Facebook Security team.
The software bug affected the site's Download Your Information tool, which allows users to download an archive of their Facebook account. The company said the tool was not available to developers or advertisers.
"If a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool. "
According to Facebook, the bug's damage was minimal primarily due to the fact that personal information was only shared between users that had some connection. Additionally, only contact information was exposed and financial data like credit card numbers remained protected.
The inadvertently shared data also included contact information for non-Facebook users, however a company spokesperson told TechCrunch that the data "wasn't structured and wasn't identifiable."