Packet Storm, the security site which helped report the bug to Facebook, compared the firm’s disclosure of the bug and what data was affected to its own test data, according to ZDNet.
It found that where Facebook had told affected users that only their email address had been leaked, the way the site matches contact information means much more data could have been leaked.
It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure
"In one case, they stated one additional email address was disclosed, though four pieces of data were actually disclosed. For another individual, they only told him about three out of seven pieces of data disclosed," said Packet Storm. "It would seem clear that they did not enumerate through the datasets to get an accurate total of the disclosure."
Facebook said it wasn’t telling users about additional information that may have been leaked because it couldn’t always confirm who that information belonged to. According to Packet Storm, that means many more than six million users have probably been affected by the bug - as well as many non-Facebook users.
How it worked
The bug was linked to Facebook’s ability to generate friend recommendations from extra information provided by users, such as their email contact list or phone book.
Because users often allow Facebook to scan entire address books, contact information for people not signed up to the social network also gets uploaded.
And if several users have a friend in common, and each has different contact details for that friend, Facebook might glean the work phone number, home phone number and email address from several different sources, provided one piece of information is matching.
In spite of this, the social network reassured users that "no other information about you has been shown", which Packet Storm described as a "red herring". The social network also didn’t attempt to notify people whose contact details may have been uploaded or leaked, but who weren’t signed up to Facebook.
Dossiers on non-users
The bug also brought Facebook’s practice of collecting data on non-users to light, reaping information from the address books voluntarily uploaded by its users.
Because the "Download Your Information" tool housed contact information sourced from multiple users, Facebook can build "large dossiers on people", even if they aren't on Facebook, said Packet Storm.
"In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information," said Packet Storm. "It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users."
Facebook hasn't responded to a request for comment.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
