Last week, Facebook apologized for leaking contact information for an estimated 6 million users of the world’s largest social network. But according to computer security experts, the site may be drastically underestimating the extent to which personal data was leaked, suggesting the number of Americans affected is indeed far higher. Further, many will never even know their data was compromised.
The culprit behind the privacy blunder is Facebook’s rarely used Download Your Information (DYI) tool, which allows you to make a hard copy of your social networking history. A bug in Facebook’s database inadvertently included some data in DYI reports that was supposed to be private, however – mainly phone numbers and email addresses of third parties that the site never had permission to share.
When someone gives the Facebook mobile app permission to look through their phone’s address book, the social network saves all the information contained within to its servers. This means that even if you don’t have an account on Facebook, the site is still be maintaining a rich database of information on you including your phone number, email address, place of work, birthday and other personal data that might be in an acquaintance’s personal address book.
Facebook sent out email notifications to the 6 million users it stated were affected, but according to noted computer security blog Packet Storm, the company is drastically underestimating the extent to which personal information was leaked. Packet Storm’s own independent analysis showed that “in one case, (Facebook) stated 1 additional email address was disclosed, though 4 pieces of data were actually disclosed. For another individual, they only told him about 3 out of 7 pieces of data disclosed.”
Perhaps even more upsetting is the fact that people who were not on Facebook also had their private information leaked, and the site is making no effort to contact or notify them. It is Facebook’s official policy that your personal data doesn’t belong to you so long as another user uploaded it. It’s a chilling reminder that, in 2013, the only way to make sure your personal information stays private may be to make sure you literally share it with no one.