Facebook “unintentionally” uploaded the email contacts of more than 1.5 million users without asking permission to do so, the social network has admitted.
The data harvesting happened via a system used to verify the identity of new members,
Facebook asked new users to supply the password for their email account, and took a copy of their contacts.
Facebook said it had now changed the way it handled new users to stop contacts being uploaded.
All those users whose contacts were taken would be notified and all the contacts it had grabbed without consent would be deleted, it said.
The information grabbed is believed to have been used by Facebook to help map social and personal connections between users.
Contacts started being taken without consent in May 2016, the company told Business Insider, which broke the story.
Before this date, new users were asked if they wanted to verify their identity via their email account. They were also asked if they wanted to upload their address book voluntarily.
This option and the text specifying that contacts were being grabbed was changed in May 2016 but the underlying code that actually scraped contacts was left intact, said Facebook.
Ireland’s Data Protection Commissioner, which oversees Facebook in Europe, is engaged with the firm to understand what happened and its consequences.
The email contacts case is the latest in a long series in which Facebook has mishandled the data of some of its billions of users.
In late March, Facebook found that the passwords of about 600 million users were stored internally in plain text for months.
The ongoing breaches and other criticisms of Facebook are also prompting some high-profile users to bow out. The latest is Democrat Representative Alexandria Ocasio-Cortez who said she had “quit” the social network.
In an interview with a Yahoo News podcast she said: “I personally gave up Facebook, which was kind of a big deal because I started my campaign on Facebook.”
She added that social media posed a “public health risk”.