Facebook's security blog Friday posted details of a recent information leak that affected as many as 6 million users. It's also in the process of emailing users hit by the bug to let them know about it.
The problem was with Facebook's "download my information" tool, which as the name suggests allows you to download the data the social network has related to you: posts, contacts, pictures and so on.
The tool downloads the emails and phone numbers of people you are in touch with — and in about 6 million cases, emails and phone numbers provided privately by those people were accidentally included with the rest of the public information to individuals.
Say you provided your personal email address to Facebook privately to, say, check if your Gmail contacts are on Facebook, but someone you know found you via your phone number. If that person used the download tool, it would have included not just the number they already had for you, but your email address as well.
Facebook says every instance it has detected of the bug only resulted in that info being downloaded once or twice. So while extra contact data from about 6 million users was in fact shared, it wasn't shared together via a big database, but rather just a piece at a time — and each piece of data was only downloaded inadvertently by someone users knew, not by a hacker.
Facebook's team writes that there is "no evidence that this bug has been exploited maliciously," and the download tool was disabled and fixed as soon as the problem was detected.
A Facebook spokesman told NBC News that the social network had no complaints and it wasn't obvious the bug existed, since someone downloading that contact info wasn't likely to care about or even notice one extra email or phone number. Facebook said it found out about the bug through its White Hat program.
Still, the incident is "something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," the social network said on its blog. Facebook also said it has "already notified our regulators in the US, Canada and Europe" about the issue.
The disclosure comes two weeks after reports that Facebook and other Internet giants, including Google, Apple, Microsoft and Yahoo, have given the National Security Agency access to Americans' email and other personal information that is transmitted on various online services. It's a charge that Facebook and the other companies have denied.
Separately, Facebook settled with the Federal Trade Commission last summer to resolve charges that the social network previously exposed details about its users' lives without getting the required legal consent. Part of that settlement calls for Facebook to have a regular, independent audit of its privacy practices. In April, Facebook said the most recent audit found Facebook's privacy practices to be sufficient.
Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.