Facebook said it “unintentionally uploaded” the email contacts of 1.5 million new users since May 2016, Business Insider reported on Wednesday. The social media company harvested email contacts of the users without their consent when they opened their accounts.
The company said it is now deleting them. Facebook will also notify the affected users.
It is not clear if these contacts were also used for ad-targeting purposes. Facebook did not access the contacts of users’ emails, the company said.
The matter was noticed after a security researcher noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities. If someone entered the email password, a message popped up saying it was importing the contacts, without asking for permission. Before May 2016, Facebook offered an option to verify a user’s account and voluntarily upload their contacts at the same time.
“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” the company said in a statement. “We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”
Facebook has been hit by multiple security breaches in recent months.
In March, Facebook acknowledged that hundreds of millions of user passwords were stored in a readable format in its internal data storage system and that the glitch has now been fixed. The company said the passwords were not visible to anyone outside the company and claimed it did not find any evidence of access being abused. In September, Facebook said it had discovered a security breach that has affected about 50 million users. Last year, it was also embroiled in the Cambridge Analytical data breach scandal.