Facebook confirmed it “unintentionally” collected the contact lists of 1.5 million people who joined the social network from May 2016. It imported the contacts without asking for the user’s permission.
Contacts Imported ‘Unintentionally’
Facebook used the data that it hoovered up for its social web and offer recommendations of friends for users to add. It had not been confirmed whether the contact information had been used for advertising at the time of this writing. The company said that it was deleting the contact uploaded information.
Email Passwords for Account Verification
A security researcher brought the issue to light. They realised that Facebook was asking some users for their email password to verify their identity. When a user entered that password, Facebook began importing the contacts (via Business Insider).
In a statement, a spokesperson for Facebook said:
Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.