The Facebook bug that leaked the private contact information of 6 million users, confirmed by the company on Friday, appears to be worse than originally thought, according to a group of security researchers.
Packet Storm Security, a firm that employs the "white-hat" hackers who helped report the bug, indicated in a post on Wednesday that the social network underreported the breadth of the information leaked when it emailed Facebook members on Friday.
The bug allowed those who downloaded their Facebook account histories through the "Download Your Information" tool to inadvertently access some of their friends' email addresses and phone numbers that were never shared on the network. Facebook emailed each affected member about the breach. But according to Packet Storm Security, the company told users about fewer pieces of data than had actually been compromised, and did not tell non-users that it was hoarding information on them, too.
"We compared Facebook email notification data to our test case data," the researchers wrote. "In one case, they stated 1 [one] additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data were disclosed."
"[Facebook's] statement that 'No other info about you was shown' seems to be a red herring," Packet Storm continued. "We asked Facebook what this means for non-Facebook-users who had their information also disclosed. The answer was simple — they were not contacted and the information was not reported. As a billion users upload their contacts, their associates on and off of Facebook will all become stored and correlated."
Facebook explained on Friday that it mined offsite data in an effort to "better create friend suggestions for the user." Potentially, any Facebook user can have a shadow profile that will have both unsurprising information (your likes, relationship status) along with more closely guarded information like your second or third email address, or your phone number, even if you've never shared it. This information can come from friends or even friends of friends.
HuffPost reached out to Facebook for comment. The company told the tech site ZDNet that the number of people currently using the DYI tool is not available publicly. Facebook's post on Friday noted that there "were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals."
"Due to a flaw in how Facebook implemented this [Download Your History], it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people," Packet Storm Security wrote in an earlier post.