The bug shared user details through Download Your Information tool
The bug shared user details through Download Your Information toolFacebook

Facebook has admitted to a security breach by a bug that made six million of its users vulnerable, and has begun sending emails to those users whose email addresses and phone numbers were exposed.

This news could come as a shock to Facebook users who trusted the site's customed privacy settings. The social networking site landed up in controversy earlier this month when it revealed that 9,000-10,000 of its users' details were shared with the US authorities. 

"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared," Facebook admitted on Friday.

The security breach happened to users who used 'Download Your Information' (DYI) and 'People May Know' tools. While, 'People You May Know' suggests friends to Facebook users based on contact lists or address books uploaded by them, DYI tool helps download Facebook Timeline archive.

"Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through DYI, they may have been provided with additional email addresses or telephone numbers for their contact," Facebook posted on its security blog.

Facebook was tipped about the bug by its White Hat external security researchers.

"After review and confirmation, we immediately disabled the DYI tool to fix the problem and were able to turn the tool back on the next day once we were satisfied that the problem had been fixed," the post said.

Facebook tried to assure that the bug hasn't been used for any malicious intent, "We have not received complaints from users or seen anomalous behaviour on the tool or site to suggest wrongdoing." 

The company did not specify time period for which the user details were exposed but said the bug was reported only 'recently'. It has alerted its six million users whose personal details were exposed besides sebding out an apology via email.

Here is the full text of the apology email:

Dear....,

Your privacy is incredibly important to everyone who works at Facebook, and we're dedicated to protecting your information. While many of us focus our full-time jobs on preventing or fixing issues before they affect anyone, we recently fell short of our goal and a technical bug caused your telephone number or email address to be accessible by another person.

The bug was limited in scope and likely only allowed someone you already know outside of Facebook to see your email address or telephone number. That said, we let you down and we are taking this error very seriously.

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, the email addresses and phone numbers used to make friend recommendations and reduce the number of invitations we send were inadvertently stored in their account on Facebook, along with their uploaded contacts. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, which included their uploaded contacts, they may have been provided with additional email addresses or telephone numbers.

Here is your contact Information (inadvertently accessible by at most 1 Facebook user):

[Phone number]

[Email address 1]

[Email address 2]

We estimate that 1 Facebook user saw this additional contact info displayed next to your name in their downloaded copy of their account information. No other info about you was shown and it's likely that anyone who saw this is not a stranger to you, even if you're not friends on Facebook.

We recognize that mistakenly sharing contact info is unacceptable, even if you are acquainted with people who saw these details, and we've taken measures to prevent this from happening again. For more information on the bug, please read our blog post.

All of us at Facebook take this issue very personally. We appreciate your ongoing use of Facebook, and are working every day to deliver the level of service you expect and deserve.

Thank you,

The Facebook Team

This email has been provided by thenextweb.com