The bug, which has since been repaired, was part of the Download Your Information tool, which lets Facebook users export all the data from profiles, such as posts to their timeline and conversations with friends. People using the tool may have downloaded inadvertently the contact information for people they were somehow connected to.
Some people upload their contact lists or address books to Facebook, which the company then uses to suggest new friends they can connect with who are already using the service.
Though the number of people impacted is sizable, the actual spread of their contact information appears to be limited. The phone numbers and e-mail addresses were not exposed to developers or posted publicly. It is only shown to people they had at least a tentative connection with, and who may have already had their contact information. Even in that pool, it was only exposed to people who had used the data-exporting tool.
"For almost all of the email addresses or telephone numbers impacted, each individual email address or telephone number was only included in a download once or twice. This means, in almost all cases, an email address or telephone number was only exposed to one person," Facebook's security team said in a post.
The company says it has no evidence that the bug was "exploited maliciously" and that there have been no complaints so far.
The social media company announced the bug on Friday afternoon. The issue was discovered by a third-party security researcher who submitted it through Facebook's White Hat program.
Facebook's White Hat program is set up so that people such as security researchers can report any vulnerabilities they find on the social network and get a reward for $500 and up in return. These types of programs are common at Internet companies.
"Your trust is the most important asset we have, and we are committed to improving our safety procedures and keeping your information safe and secure," read the post.
People who were affected by the bug will receive an e-mail from Facebook.