But no financial or other information was revealed to others, and there was “no evidence that this bug has been exploited maliciously,” Facebook said in a security note, adding it was “upset and embarrassed” by the glitch.
Affected users were being notified by email, it said, while stressing that the practical impact was likely to be “minimal,” partly because improper data sharing would only have occurred between users who already had some connection.
“We take people’s privacy seriously, and we strive to protect people’s information to the very best of our ability,” it said, but added: “Even with a strong team, no company can ensure 100 percent prevention of bugs.”
In this case, the bug “may have allowed some of a person’s contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them.”
The unwarranted sharing would have occurred when a Facebook user went to download an archive of their Facebook account through the social network’s Download Your Information (DYI) tool, it said.
“They may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection,” according to the security note.
It continued: “We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared.”
“We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing.”
“Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by.”