Facebook made an announcement on the Facebook Security page that a bug has affected approximately 6 million Facebook users. This bug allowed user’s email and/or phone number to be accessed by people who “either had some contact information about that person or some connection to them”. From the Facebook post:
We’ve concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared. There were other email addresses or telephone numbers included in the downloads, but they were not connected to any Facebook users or even names of individuals. For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person. Additionally, no other types of personal information or financial information were included and only people on Facebook – not developers or advertisers – have access to the DYI tool.
The “DYI” tool is the “Download Your Information” tool. The short answer about what happened is that people were using it to download an archive of their own Facebook account. When they did this, “they may have been provided with additional email address or telephone numbers for their contacts or people with whom they have some connection”.
Facebook says it confirmed the bug, then immediately disabled the DYI tool. They turned it back on after fixing the bug. According to Reuters, the data leaks from this bug began in 2012 and were a “year long data breach”.