Related Links

Related Stories

  • Operation PRISM: NSA and FBI monitoring activity at Facebook, Apple, Google, and other tech firms
    It’s a potential publicity bomb that has yet to explode, apparently, but the Washington Post and the Guardian are reporting that both the US and the UK governments have been engaged in ongoing data collection of private information from web services, with the support of top tech companies, in an foreign intelligence effort code-named Operation PRISM.
  • Facebook Fan Page phishing scam aims to hijack accounts
    A fresh phishing scam looking to capitalize on the popularity of Facebook Fan Pages has thrown a lure in using a security warning.
  • Chrome and Firefox extension hijacks Facebook accounts
    First discovered in April this year, Trojan:JS/Febipos.A is a malicious browser extension specifically targeting Chrome and Mozilla Firefox and designed to hijack the victim’s Facebook account.
  • Feds look to extend wiretapping mandate to online services
    Even as online privacy continues to be in the spotlight, a government task force is reportedly prepping legislation that would enable law enforcement officials to intercept online communications in real-time, via companies like Facebook and Google, in what is basically an extension of the CALEA wiretapping act.
  • EFF: Online data protection is a mixed bag
    Consumers and businesses alike, often unwittingly, leave a wealth of information behind as they move through the digital world. Every internet search, every website visit, every social media update is essentially another piece of data that’s being entrusted to a service provider like Google, Facebook or AT&T.

Top 5 Stories


Facebook Data-Leaking Bug Exposes 6 Million Users' Data

24 June 2013

Facebook has admitted to a bug in its system that has given users of the Download Your Information (DYI) tool "additional email addresses or telephone numbers for their contacts or people with whom they have some connection."

Facebook apologized, stating that it has notified regulators in the US, Canada and Europe, and that it is contacting affected users by email. Security commentators, meanwhile, are trying to work out exactly what happened, and how.

Facebook has admitted that the bug caused the phone numbers and email addresses of six million users to be shared unintentionally. The number of UK users affected by the bug is believed to be around 200,000 according to the Telegraph.

One of the methods for increasing Facebook membership is to invite existing users to submit their email contact lists. The data in those contact lists is then matched with existing data to find connections. If a person is not already a member, that person might receive a Facebook email suggesting that they join and connect with known contacts already on the social network. Those who are already members, but not currently friends with other known members, might receive a message inviting them to become Facebook friends.

It would appear that the bug discovered just over a week ago didn't disconnect the links made from the uploaded users' contact lists and stored behind the scenes in what is known as the users 'shadow profile' from the users' official profile. According to Reuters, the year-long bug was fixed within 24 hours, but it was several days before the company disclosed the issue – and that it did so late on a Friday afternoon, a good time to bury bad news, and not been lost to researchers such as Graham Cluley.

According to the statement, when users invoked DYI, "they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection," (that is, from the contact data stored in the shadow profile) announced Facebook late on Friday 

It went on to say, "We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing." But many users are not satisfied. The point at issue is that someone using DYI might have received the telephone number of another person who specifically chose not to share that number with Facebook. 

Violet Blue, writing in ZDNet, put it like this: "What it means for me is that even though I've been very careful not to give my phone number to Facebook or the men in my 'friends,' the guys I've 'friended' might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number."

Infosecurity has reached out to both the UK Information Commissioner and the Irish Information Commissioner (Facebook has offices in Dublin) for a comment on any relevance of this potential leak of personal information with the Data Protection Act. At the time of writing we have not heard back from the Irish Commissioner. The UK ICO will "take a look into this," and we will update this story with any comment we receive from either source.

Infosecurity received the following statement from the Office of the Data Protection Commissioner in Ireland:

"I can advise that Facebook-Ireland reported the system bug which gave rise to the inadvertent disclosure of additional contact information in respect of a user to a different user who used Facebook's "download your information" tools.

"In line with our general data breach guidance, we sought and were provided with a report on the matter from Facebook-Ireland.  We sought assurances that the system bug had been fixed and also that the affected Facebook users should be advised.  We are satisfied with Facebook-Ireland's response to our data breach procedures to date.

"In relation to the uploading of contact details by users to Facebook and the use by Facebook of those details, these matters were examined as part of our audit of Facebook-Ireland in 2011.  The matter of the creation of shadow profiles, which our audit found no evidence of, is dealt with at Section 3.11.1 (p.119) of the document available [here]."


This article is featured in:
Cloud Computing  •  Data Loss  •  Internet and Network Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×