Facebook White Hat security bug briefly exposes user contact info

Facebook security bug of 2013
Download your Facebook information (and maybe that of others)

The Facebook nightmare of a security bug exposing the contact information of some of its more than 1 billion members has come true, the social networking company admitted today.

The good news is that the impact was minimal, outing only 6 million members' email addresses and phone numbers in a very roundabout way, and Facebook has already corrected the White Hat glitch.

"No company can ensure 100 percent prevention of bugs, and in rare cases we don't discover a problem until it has already affected a person's account," Facebook said in a statement.

"A bug may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them."

Inadvertently stored information

Facebook's friend recommending service, which asks to use a member's third-party contact lists and address books, is the source of this White Hat bug.

"We try to match that data with the contact information of other people on Facebook in order to generate friend recommendations," explained the company.

"Some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook."

No evidence of malicious hacking

There is no evidence that this bug was exploited maliciously, according to Facebook, which said it has not received complaints from users or detected anomalous behavior.

That's probably because it would have taken a little work for a chance to access the exposed information.

"If a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection."

"This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."

Facebook immediately disabled the DYI tool and fixed the issue within 24 hours, however, it's still emailing the 6 million potentially affected users.

It stressed that "no other types of personal or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool."

"Your trust is the most important asset we have," Facebook said at the conclusion of its statement. "We are committed to improving our safety procedures and keeping your information safe and secure."

Matt Swider