The "privacy leak" was spotted by Symantec, which said that the latest version of Norton Mobile Security, which includes a new Mobile Insight tool that dynamically assesses Android apps for potential security or privacy violations, had flagged Facebook's Android app.
"The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers," according to a Symantec blog post. "You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen."
According to Google Play, Facebook's Android app has been installed on between 100 million and 500 million devices. Symantec said that "a significant portion of those devices are likely affected."
[ More comes to light about whistleblower's job description. Read Snowden's Real Job: Government Hacker. ]
Numerous Android apps slurp excessive data for various reasons -- perhaps owing to developers' coding errors, to support "find my friend" features, or to allow developers or advertising networks to better track individual users.
But Facebook spokesman Derick Mains, confirming Symantec's bug report, said it had resulted from an inadvertent coding error. "The Android beta we released last week includes the fix," he said via email. "We did not use or process these numbers in any way, and have already deleted them from our servers."
That Android beta was the first beta build released by Facebook as part of its expanded beta testing program. Previously, new versions of the Android app were tested by about 1,000 Facebook employees. But owing to Android fragmentation, the company has opened up the program to anyone who wants to join the Facebook for Beta Testers group. Facebook said it's hoping to release the updated Android app -- with the privacy-leak patch -- to Google Play for general downloading on July 8.
The Android bug wasn't the only recent privacy snafu involving Facebook. Last month, the social network reported that it had fixed a bug on its servers -- reported via its Facebook White Hat bug bounty program -- that was inadvertently storing email addresses and telephone numbers for 6 million users.
"Because of the bug, some of the information used to make friend recommendations and reduce the number of invitations we send was inadvertently stored in association with people's contact information as part of their account on Facebook," said a Facebook security advisory. "As a result, if a person went to download an archive of their Facebook account through our Download Your Information (DYI) tool, they may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection. This contact information was provided by other people on Facebook and was not necessarily accurate, but was inadvertently included with the contacts of the person using the DYI tool."
Facebook said that when it learned of the bug, it immediately deactivated the DYI tool, fixed the code involved, and had the DYI tool working again the following day. It said it's been notifying regulators in the United States, Canada and Europe, as well as affected users.
"We currently have no evidence that this bug has been exploited maliciously and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing," according to the Facebook statement.
The company apologized for the bug. "Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by, and we'll work doubly hard to make sure nothing like this happens again," it said. "Your trust is the most important asset we have."