Facebook Data-Leaking Bug Exposes 6 Million Users' Data

Facebook apologized, stating that it has notified regulators in the US, Canada and Europe, and that it is contacting affected users by email. Security commentators, meanwhile, are trying to work out exactly what happened, and how.

Facebook has admitted that the bug caused the phone numbers and email addresses of six million users to be shared unintentionally. The number of UK users affected by the bug is believed to be around 200,000 according to the Telegraph.

One of the methods for increasing Facebook membership is to invite existing users to submit their email contact lists. The data in those contact lists is then matched with existing data to find connections. If a person is not already a member, that person might receive a Facebook email suggesting that they join and connect with known contacts already on the social network. Those who are already members, but not currently friends with other known members, might receive a message inviting them to become Facebook friends.

It would appear that the bug discovered just over a week ago didn't disconnect the links made from the uploaded users' contact lists and stored behind the scenes in what is known as the users 'shadow profile' from the users' official profile. According to Reuters, the year-long bug was fixed within 24 hours, but it was several days before the company disclosed the issue – and that it did so late on a Friday afternoon, a good time to bury bad news, and not been lost to researchers such as Graham Cluley.

According to the statement, when users invoked DYI, "they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection," (that is, from the contact data stored in the shadow profile) announced Facebook late on Friday 

It went on to say, "We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing." But many users are not satisfied. The point at issue is that someone using DYI might have received the telephone number of another person who specifically chose not to share that number with Facebook. 

Violet Blue, writing in ZDNet, put it like this: "What it means for me is that even though I've been very careful not to give my phone number to Facebook or the men in my 'friends,' the guys I've 'friended' might have gotten my phone number anyway, regardless of my consent. I did not know they may have been able to get my phone number throughout the course of a year, and now I have no way of finding out who might have gotten my phone number."

Infosecurity has reached out to both the UK Information Commissioner and the Irish Information Commissioner (Facebook has offices in Dublin) for a comment on any relevance of this potential leak of personal information with the Data Protection Act. At the time of writing we have not heard back from the Irish Commissioner. The UK ICO will "take a look into this," and we will update this story with any comment we receive from either source.

Infosecurity received the following statement from the Office of the Data Protection Commissioner in Ireland:

"I can advise that Facebook-Ireland reported the system bug which gave rise to the inadvertent disclosure of additional contact information in respect of a user to a different user who used Facebook's "download your information" tools.

"In line with our general data breach guidance, we sought and were provided with a report on the matter from Facebook-Ireland.  We sought assurances that the system bug had been fixed and also that the affected Facebook users should be advised.  We are satisfied with Facebook-Ireland's response to our data breach procedures to date.

"In relation to the uploading of contact details by users to Facebook and the use by Facebook of those details, these matters were examined as part of our audit of Facebook-Ireland in 2011.  The matter of the creation of shadow profiles, which our audit found no evidence of, is dealt with at Section 3.11.1 (p.119) of the document available [here]."


What’s Hot on Infosecurity Magazine?