Facebook admits year-long data breach exposed 6 million users

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.reuters.com/article/2013/06/21/us-facebook-security-idUSBRE95K18Y20130621

(Reuters) - Facebook Inc has inadvertently exposed 6 million users'
phone numbers and email addresses to unauthorized viewers over the
past year, the world's largest social networking company disclosed
late Friday.

Facebook blamed the data leaks, which began in 2012, on a technical
glitch in its massive archive of contact information collected from
its 1.1 billion users worldwide. As a result of the glitch, Facebook
users who downloaded contact data for their list of friends obtained
additional information that they were not supposed to have.

Facebook's security team was alerted to the bug last week and fixed it
within 24 hours. But Facebook did not publicly acknowledge the bug
until Friday afternoon, when it published an "important message" on
its blog explaining the issue.

A Facebook spokesman said the delay was due to company procedure
stipulating that regulators and affected users be notified before
making a public announcement.

"We currently have no evidence that this bug has been exploited
maliciously and we have not received complaints from users or seen
anomalous behavior on the tool or site to suggest wrongdoing,"
Facebook said on its blog.

While the privacy breach was limited, "it's still something we're
upset and embarrassed by, and we'll work doubly hard to make sure
nothing like this happens again," it added.

The breach follows recent disclosures that several consumer Internet
companies turned over troves of user data to a large-scale electronic
surveillance program run by U.S. intelligence.

The companies include Facebook, Google Inc, Microsoft Corp, Apple Inc
and Yahoo Inc.

The companies, led by Facebook, successfully negotiated with the U.S.
government last week to reveal the approximate number of user
information requests that each company had received, including secret
national security orders.
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss-discuss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.