Since 2016, Facebook has reportedly harvested email contacts of 1.5 million users without their consent. According to Business Insider, the media outlet that broke the story, the company had been collecting the contact lists of new users since May 2016.
In a statement, Facebook confirmed that it had been unintentionally uploading this data when people were verifying their accounts.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," said the statement. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."
According to Business Insider, a security researcher realized that Facebook was asking some users to "enter their email passwords when they signed up for new accounts to verify their identities." The outlet then discovered that when a user entered their email password, "a message popped up saying it was 'importing' contacts, without asking for permission first."
A Facebook spokesperson also confirmed that these contacts were uploaded into Facebook's systems, where they were used to build "Facebook's web of social connections" and recommend friends.
It's not known if these contacts were also used for ad-targeting purposes, similar to that of the Cambridge Analytica scandal that happened last year. The exposé, which was released by The Observer, had led to Facebook having to answer questions to the US Senate and the UK government.
Infosecurity Magazine reported that at the beginning of April, over half a billion personal Facebook records were publicly exposed to the internet by two third-party app developers. UpGuard claimed to have found the two datasets stored in Amazon S3 buckets, which were configured to allow public download of files.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.
In regards to the latest data mishap, Facebook plans to notify the 1.5 million users affected and delete their contacts from the company's systems.