Facebook admitted on Friday that a security bug exposed the personal account and contact information of 6 million users.
Facebook's White Hat security team explained the bug in a post on the Facebook Security page, where the team said the information that Facebook uses to serve up friend recommendations was "inadvertently stored with people's contact information as part of their account on Facebook."
Some Facebook users, when downloading an archive of their account with the Download-Your-Information tool, apparently accessed additional contact data of friends and friends of friends.
"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared," wrote the White Hat team. "There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals."
Facebook said the security bug did not reveal other personal or financial data and that only people on Facebook – not developers or advertisers – accessed the DYI tool. Therefore, the bug was not exploited maliciously.
"For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice," Facebook clarified. "This means, in almost all cases, an email address or telephone number was only exposed to one person."
Facebook said it reviewed and confirmed the security bug, and therefore immediately disabled the DYI tool to fix the problem. The tool is now back online, however, because the problem has been resolved.
Today's news follows the PRISM scandal from earlier this month, when a 41-slide presentation leaked with details of a highly classified US government program that allegedly harvested data from companies like Facebook, Apple, Microsoft, Yahoo, Google, AOL, Skype YouTube and PalTalk.
Facebook denied any involvement with PRISM, though, emphasising it does not "provide any government organisation with direct access to Facebook servers".