The bug meant email addresses and phone numbers for some users could be accessed by other people who already had some of their contact information or were connected to them in some way on the network.
The glitch occurred in the part of Facebook’s system that allows it to generate friend recommendations based on the personal contact information added by users.
Users accessing Facebook’s Download your Information (DYI) tool could have mistakenly been provided the contact information for other users.
It was discovered by Facebook’s White Hat Programme which is in place to collaborate with external experts to ensure it “maintains the highest security standards”.
In a statement on its blog the social network said: “At Facebook, we take people’s privacy seriously, and we strive to protect people’s information to the very best of our ability. Even with a strong team, no company can ensure 100 per cent prevention of bugs, and in rare cases we don’t discover a problem until it has already affected a person’s account.”
When the bug was discovered Facebook deactivated the tool to fix the problem but not before more than 6 million users’ email addresses and telephone numbers were shared with other users. Facebook claims no other information such as financial or personal information was shared, and no information was revealed to advertisers or developers.
It is not thought the data leak was malicious.
Facebook also says: “Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway … it’s still something we’re upset and embarrassed by, and we’ll work doubly hard to make sure nothing like this happens again. Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure.”