'Please review your posts': Facebook bug may have shared 14M users' private info

The company made the posts private again within nine days, but the damage may have been done.

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
Sean Hollister
2 min read
James Martin/CNET

Facebook has admitted to an incredibly embarrassing bug -- one that encouraged 14 million users to share posts publicly when they intended them to be private. 

According to Facebook, only four days worth of posts could have been accidentally shared -- ones published between May 18 and May 22, and the company has automatically changed them back to private, too. Your secrets are safe -- unless someone saw them, of course. 

Facebook says it didn't make the posts private again until May 27, so it's possible that mere acquaintances could have seen sensitive info during that nine-day span. Affected users will see a "Please review your posts" pop-up in their Facebook feed so they can review what private details they might have accidentally leaked.

Watch this: Facebook bug changes 14 million users' settings, Amazon Fire TV Cube makes Alexa the remote

Here's the full statement from Facebook Chief Privacy Officer Erin Egan: 

"We recently found a bug that automatically suggested posting publicly when some people were creating their Facebook posts. We have fixed this issue and starting today we are letting everyone affected know and asking them to review any posts they made during that time. To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have. We'd like to apologize for this mistake."

How did this happen? The company says it was testing out a new feature, one that would suggest people share featured profile items publicly. But Facebook accidentally set "public" as the default for posts, too. If you shared a post to Facebook during that period, and didn't notice that your default sharing setting had changed, you would have broadcast it out to the world.

At a time when trust in Facebook is rather low, it's terrible timing for the company to have an error like this -- and pretty incredible to see that the metaphorical flip of a switch could lead to so many people's privacy settings changing, even temporarily. 

Originally published June 7 at 1:59 p.m. PT.
Update, 4:58 p.m. PT: Clarified that the Facebook bug didn't make existing private posts public, but rather changed the default sharing setting for new posts to public rather than private, which could (and did) broadcast some posts that were meant to be private.

Disclosure: Sean Hollister's wife works for Facebook as an internal video producer.

The nine types of Facebook ads that Russian trolls paid for

See all photos