One of Facebook’s archival features has accidentally exposed the contact information of around 6 million of its users. This includes email addresses and phone numbers that users may or may not have wanted shared with all their contacts.
The security bug comes from Facebook’s archive feature, which you can see pictured below. The feature lets you download things like media that you’ve posted on the site, messages, friends’ names along with some of their email addresses. If you look closely, there’s a note there that explicitly states that the archive will “only include email addresses for friends who’ve allowed this in their account settings.” What the bug did was attach those friends’ email addresses and/or phone numbers anyway, exposing information that some people might have wanted kept private or to a select group of people.
According to Facebook, the bug has apparently been live since last year. It was discovered last week and the security team fixed it within 24 hours of them being notified of its existence. Additionally, before we all start freaking out by this, each individual email address or phone number was only included in the data once or twice. But more importantly, developers and advertisers do not have access to the archive tool — so none of that information was exposed to them.