Facebook says it is "upset and embarrassed" that a software bug resulted in the phone numbers and email addresses of some 6 million users being improperly shared.

But the social network says no financial or other information was revealed to others, and there is "no evidence that this bug has been exploited maliciously".

Facebook says affected users are being notified by email.

It has stressed that the practical impact is likely to be "minimal," partly because improper data sharing would only have occurred between users who already had some connection.

"We take people's privacy seriously, and we strive to protect people's information to the very best of our ability," it said in a security note.

"Even with a strong team, no company can ensure 100 per cent prevention of bugs."

Facebook says the bug "may have allowed some of a person's contact information to be accessed by people who either had some contact information about that person or some connection to them".

It says the unwarranted sharing would have occurred when a Facebook user went to download an archive of their Facebook account through the social network's Download Your Information (DYI) tool.

"They may have been provided with additional email addresses or telephone numbers for their contacts or people with whom they have some connection," Facebook said.

"We've concluded that approximately 6 million Facebook users had email addresses or telephone numbers shared.

"We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behaviour on the tool or site to suggest wrongdoing.

"Although the practical impact of this bug is likely to be minimal since any email address or phone number that was shared was shared with people who already had some of that contact information anyway, or who had some connection to one another, it's still something we're upset and embarrassed by."

AFP