On June 21, 2013, Facebook issued a notice that a software “bug” may have allowed Facebook users to access additional contact information (email addresses and phone numbers) for millions of individuals without the consent or knowledge of those individuals.
An external security researcher (a “white hat” hacker) discovered a potential exploitation utilizing Facebook’s Download Your Information (“DYI”) tool. Due to the software bug, when a Facebook user uploaded his or her contacts list into Facebook, and then downloaded that same contacts list through Facebook’s DYI tool, the user would receive a file that contained not only the contact information included in his or her original contacts list, but also any information uploaded by other Facebook users about individuals that were common to both contacts lists.
For instance, if a Facebook user uploaded contact information for John Doe consisting of a single public email address, the user could potentially obtain additional pieces of contact information for John Doe so long as other users, related or unrelated, had also uploaded additional contact information for John Doe as part of their own contacts list. Upon downloading his/her contacts list through the DYI tool, the user could receive all of the contact information associated with John Doe, regardless of who uploaded each piece of information, thereby providing the user with additional contact information.
Facebook has reported that six million Facebook users have had some of their contact information shared without their consent or knowledge. Facebook has also acknowledged that other email addresses and phone numbers not associated with a Facebook account were also disclosed, but has failed to specify how many such people were affected. Facebook has stated that is has notified regulators in the United States, Canada and Europe and is in the process of directly notifying affected individuals via email.
Although Facebook has since taken steps to ensure that the “bug” is fixed, and has further reported that there is no evidence that the bug was exploited for malicious purposes, the incident serves as yet another reminder that data security remains an ongoing concern for any organization or company with an online presence.