Facebook has revealed that a bug inadvertently exposed the contact information of 6 million of its users via the social network's download your information (DYI) tool.
The glitch has since been fixed, and affected members are being notified, Facebook said in a post on its security blog.
The problem stemmed from a tool that allows users to upload their contact lists or address books to Facebook so that the social network can serve up friend recommendations or invite people to join Facebook.
"Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook," the company wrote in the blog post.
As a result, when members used Facebook's DYI tool, which provides them with a copy of all their Facebook data, some were also provided with email addresses or phone numbers they did not previously have. "This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool," Facebook said.
According to Facebook, 6 million email addresses and phone numbers were shared; other addresses and numbers were included in the DYI data, but they were undecipherable. Facebook believes the information was only shared once or twice, so "in almost all cases, an email address or telephone number was only exposed to one person." Developers and advertisers did not gain access to the info.
The bug was discovered through Facebook's White Hat programme, and Facebook paid out a bug bounty for the tip. Once revealed, Facebook shut down the DYI tool and fixed the problem within 24 hours. According to TechCrunch, the bug was live since 2012.
"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," Facebook said.
Facebook said it is in the process of notifying affected users via email.