Apr 17, 2019 - Technology

Facebook collected email contacts of 1.5 million users without permission

Photo: SOPA Images/Getty Images

Since May 2016, Facebook collected the contact lists of 1.5 million new users in the account confirmation process, calling the action "unintentional," and now, plans to erase the data, Facebook confirmed.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”
— Facebook comment

The backdrop: Per Business Insider, the news comes after a security researcher recognized that Facebook prompted some users to enter their email passwords upon signing up for new accounts as a part of its identity verification process. When the company proceeded with a redesign in May 2016, it removed the explanatory language without realizing that contacts could still be uploaded in some cases. Business Insider discovered that if a user chose not enter their email password, a message appeared explaining Facebook was "importing" contacts, without permissions. The purpose behind this remains unclear. In response to criticism, Facebook told Axios on April 2, it would halt the practice of requesting users email passwords as a means of verifying some new accounts.

Go deeper