Well, great. Not only has the NSA been watching our every ill-advised tagged photo on Facebook, but apparently the site itself was giving away our contact information to any number of people for the past year without our knowledge.
Facebook admitted today that they just fixed a bug that had exposed users' private emails and phone numbers via the "Download Your Information" function used by people deactivating their accounts. The bug allowed those people to download contact data for a variety of people with whom they had some connection, though it's unclear what shape the data was in or how many people even did this. It doesn't appear that anyone used the information in any malicious way, but the stuff could be out there as it looks like the bug had been present for about a year, and affected 6 million accounts.
Here's a statement via Facebook's blog:
Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people’s contact information as part of their account on Facebook. As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection.
We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal or financial information were included and only people on Facebook - not developers or advertisers - have access to the DYI tool.
The bug's been fixed. But ugh.