Facebook (FB) has learned a bug in one of its programs inadvertently revealed contact information on some six million users.

The world’s biggest social network said a programming flaw in a tool that lets users take their profile offline sometimes passed along additional email addresses and telephone numbers of contacts or “people with whom they have some connection.” That means contact details that were meant to be left unshared – say a private work line, or a mobile number – could have been revealed to an unknown number of individuals. However, Facebook told users that in most cases, they would have known the individual with whom the data were shared. 

A Facebook spokesperson said the programming error had existed since last year. 

“We have already notified our regulators in the US, Canada and Europe, and we are in the process of notifying affected users via email,” Facebook said in a blog post late Friday.

The company said it was “embarrassed” by the security lapse, and vowed to “work doubly hard to make sure nothing like this happens again.”

The bug was actually located by a so-called “White Hat” security researcher, as opposed to Facebook’s internal staff.  Facebook said it “paid out a bug bounty to thank him for his efforts.” The company wouldn't disclose the exact amount paid out, but a spokesperson said the rewards are at least $500. Companies are increasingly relying on “good hackers” to find security flaws before more nefarious individuals access them.

Facebook said the tool has been fixed and there is “no evidence that this bug has been exploited maliciously.” The Menlo Park, Calif-based company also noted that no financial information or other contact details were revealed.

The company’s shares traded lower by less than 1% in extended trading.

Follow Adam Samson on Twitter @adamsamson.