In what appears to be another addition to the growing list of data privacy breaches, Facebook has admitted it “unintentionally” uploaded the email contacts of 1.5 million users without their consent.
The data harvesting happened via a system used to verify the identity of new members. Facebook asked new users to supply the password for their email account and took a copy of their contacts.
Facebook has, however, said it had now changed the way it handled new users to stop contacts from being uploaded. The company had told Business Insider that contacts were taken without consent as far back as May 2016.
Before this date, new users were asked if they wanted to verify their identity via their email account. They were also asked if they wanted to upload their address book voluntarily.
Facebook confirmed that this option and the text specifying that contacts were being grabbed were changed in May 2016 but the code that scraped contacts was left intact.
In late March, Facebook found that the passwords of about 600 million users were stored internally in plain text for months.
According to a source familiar with the matter, users affected by the incident were not limited to the United States.
Meanwhile, a company spokesperson said the contacts were not shared with anyone and Facebook is deleting them.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported.
People can also review and manage contacts they share with Facebook in their settings,” the spokesperson said