Facebook users are reporting today that the social-networking site appears to have added (or re-added) them to Facebook Groups that they either don't recall subscribing to or thought they had left years ago. Meanwhile, administrators of groups are reporting seeing dozens of new members added overnight, including to groups that contain sensitive private information that the new members shouldn't have permission to see.
In a blog post Wednesday, Graham Cluley of the security firm Sophos pointed out a thread on a Facebook community forum that began with this post at around 3 a.m. eastern time Wednesday from a user named Mary Langley Pettit:
It's 3 a.m. I was asleep and my phone suddenly tells me I have 50 notifications from groups I somehow joined while I was sleeping. Some of them were groups I used to belong to but left, some aren't. ALL say I joined "24 minutes ago" while I was sleeping. What gives? No notifications saying I was added by anyone, just that I joined.
Pettit's complaint has been followed by numerous similar posts from other users, including some who said that members they had banned from private groups had been re-added without their permission.
Facebook has confirmed that there is some kind of glitch, giving the following statement to the BBC's Rory Clellan-Jones: "Some users appear to have been re-added to groups that they have left in the past. We are investigating." That leaves it unclear whether users have also been added to groups that they never joined, or from which they've been banned. In past Facebook privacy scares, it has sometimes turned out that users have mistaken memories of what they did and didn't do on the site years ago.
A quick check of my own Facebook profile suggests that I too have been re-added to a slew of old groups, though I don't see any that I never joined at all. When I click on those old groups, the following message appears at the top of the page:
Whatever's going on here, it is, as Cluley notes, "a far cry from the 'private space' that Facebook advertises its Groups feature as being." I've asked Facebook for an explanation and will update when they reply. Meanwhile, this would probably be an opportune time to open up your own Facebook profile and unsubscribe from the groups you don't want to be a part of. And if you're an administrator of a private group, it wouldn't be a bad idea to check and see if any unauthorized members have turned up on the roster lately.
UPDATE, 3:38 p.m.: A Facebook spokesman gave me the following statement:
A bug surfaced last night that caused some users to be re-added to groups that they previously belonged to. We are working to resolve the issue now. In the meantime, we are rolling out a short-term fix for all closed groups that will make the content of those groups inaccessible to the re-added members.
So it seems that the bug did not in fact add users to groups they had never joined—just groups they had previously joined and then left (or, perhaps, been banned from, though Facebook has not confirmed those reports). That's a little reassuring, though in some cases being re-added to a group that you had left for good reason—or been boooted out of—might be just as alarming from a privacy perspective.
In any case, it's pretty clear this was all unintentional on Facebook's part, putting it in a different class of privacy scares from the ones that ensue when the company intentionally makes changes that some users find creeepy. Every Web company has bugs, of course. It's just that they're especially worrisome in the case of a social network that has access to so much of its users' personal information. Lately Facebook has been downplaying its famous "Move Fast and Break Things" philosophy, and this incident is another example of why that's probably wise.