The social networking giant, Facebook discovered a critical vulnerability in their software that compromised the email addresses and phone numbers of almost 6 million users.
Like many companies, Facebook’s White Hat Program invites researchers and developers to submit vulnerabilities and flaws in their system in return for a reward. Ironically because of the challenge framework, a security hole was left open that allowed users to download contact information of other users who have any kind of connection with the person downloading his/her archive.
Advertisers and developers cannot use this tool so it is safe to say that they did not receive any personal contact information of the users.
According to the social network giant, if any person downloads his data using the DYI (Download Your Information) tool, they will be provided with additional contact information for their contacts. However, the provided information may not be 100% accurate, but nevertheless still a security breach that had to be fixed. For this purpose, the company disabled the tool for a day to patch the vulnerability.
The company mentioned,
We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing. Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again.
The affected users will be notified by the company via email to take necessary actions. Facebook also notified the regulatory authorities in US, Canada and Europe about the breach as well.