Want to know Facebook’s official explanation as to what really happened in what is undoubtedly a massive privacy breach? Also included is the email sent out by Facebook to 6 million users explaining the same.

facebook privacy bug 1 Heres Facebooks explanation and email to 6 million users post squashing privacy flaw bug

Earlier today, Facebook admitted that a bug in their privacy framework exposed information of 6 million members to other users. So what’s Facebook’s explanation to what really happened?

When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. For example, we don’t want to recommend that people invite contacts to join Facebook if those contacts are already on Facebook; instead, we want to recommend that they invite those contacts to be their friends on Facebook.

Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook.

As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool.

Sadly, we don’t have any information related to the timeframe for which this bug existed, meaning this privacy breach could have gone on for months unnoticed by users. Hopefully nobody comes to any real harm due to this goof-up. Facebook touted that their White Hat program lead to the eventual discovery of the bug, and that the researcher has been paid a handsome bounty for his discovery.

UPDATE

Timeframe is said to be year-long, leaves us open-mouthed.

facebook privacy bug 2 Heres Facebooks explanation and email to 6 million users post squashing privacy flaw bug

User’s who have been affected by the bug have all been sent out an email. Here’s a copy of the same:

Dear ___,

Your privacy is incredibly important to everyone who works at Facebook, and we’re dedicated to protecting your information. While many of us focus our full-time jobs on preventing or fixing issues before they affect anyone, we recently fell short of our goal and a technical bug caused your telephone number or email address to be accessible by another person.

The bug was limited in scope and likely only allowed someone you already know outside of Facebook to see your email address or telephone number. That said, we let you down and we are taking this error very seriously.

Describing what caused the bug can get pretty technical, but we want to explain how it happened. When people upload their contact lists or address books to Facebook, we try to match that data with the contact information of other people on Facebook in order to generate friend recommendations. Because of the bug, the email addresses and phone numbers used to make friend recommendations and reduce the number of invitations we send were inadvertently stored in their account on Facebook, along with their uploaded contacts. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, which included their uploaded contacts, they may have been provided with additional email addresses or telephone numbers.

Here is your contact Information (inadvertently accessible by at most 1 Facebook user):

[Phone number]
[Email address 1]
[Email address 2]

We estimate that 1 Facebook user saw this additional contact info displayed next to your name in their downloaded copy of their account information. No other info about you was shown and it’s likely that anyone who saw this is not a stranger to you, even if you’re not friends on Facebook.

We recognize that mistakenly sharing contact info is unacceptable, even if you are acquainted with people who saw these details, and we’ve taken measures to prevent this from happening again. For more information on the bug, please read our blog post.

All of us at Facebook take this issue very personally. We appreciate your ongoing use of Facebook, and are working every day to deliver the level of service you expect and deserve.

Thank you,
The Facebook Team

Are you one of those who were affected by this bug? Whether yes or no, do share your personal opinions on such incidents.