Yahoo has closed a months-old bug that let anyone access the name, email and message sent by Flickr users who invited friends to join the photo sharing service.
But the web company was criticised for acting too slowly after the bug was brought to its attention. Its staff initially suggested that the system was “working as designed” when the flaw was pointed out.
The privacy hole exposed the entire contents of the private invitations. But Yahoo engineers originally dismissed concerns, suggesting that the system was part of the invitation resend function, and insisting that “sensitive data” was not being made available.