Facebook admits 6m users hit by data archive bug
Flaw undiscovered for a year; contact data downloaded by unauthorised parties
Facebook Inc on Friday admitted to a year-long flaw in its archive security that allowed 6 million users' phone numbers and email addresses to be accessed by unauthorised viewers, Reuters reported.
The disclosure follows claims, by IT security company Cyberoam, of a separate flaw in Facebook's authorisation layer that allowed malicious control of accounts, which was reported by ITP.net on Thursday.
Facebook attributed the latest issue to a bug in its archiving system, which led to users that downloaded contact information from their friends list to also receive data they were not authorised to have.
Despite being aware of the issue last week and reportedly fixing it within 24 hours, the social media company did not make an announcement until Friday, according to Reuters.
"A Facebook spokesman said the delay was due to company procedure stipulating that regulators and affected users be notified before making a public announcement," the news agency reported.
"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," Facebook said on its blog.
While claiming limited impact and pointing out that "no company can ensure 100% prevention of bugs" the company said, "it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again".
Both the authorisation vulnerability and the archive glitch followed a statement on Wednesday by Facebook chief operating officer Sheryl Sandberg that the world's largest social media company was at its strongest since its troubled IPO a year ago.
"When I look back at the last year since we went public, I believe we are unequivocally a much stronger company today than we were on literally any metric I can think of," Sandberg said at the Reuters Global Technology Summit.
Facebook's privacy breach also comes at a time where the company's participation in NSA's project Prism has been revealed by former NSA contractor Edward Snowden.