FILE - In this April 11, 2018, file photo, Facebook CEO Mark Zuckerberg pauses while testifying before a House Energy and Commerce hearing on Capitol Hill in Washington about the use of Facebook data to target American voters in the 2016 election and data privacy. Zuckerberg said Facebook will start to emphasize new privacy-shielding messaging services, a shift apparently intended to blunt both criticism of the company's data handling and potential antitrust action. (AP Photo/Andrew Harnik, File)
FILE – In this April 11, 2018, file photo, Facebook CEO Mark Zuckerberg pauses while testifying before a House Energy and Commerce hearing on Capitol Hill in Washington about the use of Facebook data to target American voters in the 2016 election and data privacy. Zuckerberg said Facebook will start to emphasize new privacy-shielding messaging services, a shift apparently intended to blunt both criticism of the company’s data handling and potential antitrust action. (AP Photo/Andrew Harnik, File)

 

  • Facebook says that it ‘unintentionally uploaded’ the e-mail contacts of 1.5 million new Facebook users since May 2016.
  • The revelation comes after a security researcher noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, in a move widely condemned by security experts.
  • Business Insider then discovered that if you did enter your email password, a message popped up saying it was “importing” your contacts, without asking for permission first.
  • Facebook says that it didn’t mean to upload these contacts, and is now in the process of deleting them.

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.

Business Insider has learned that since May 2016, the social networking company has collected the contact lists of 1.5 million users new to the social network. The Silicon Valley company says they were “unintentionally uploaded to Facebook,” and it is now deleting them. You can read Facebook’s full statement below.

The revelation comes after a security researcher noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, in a move widely condemned by security experts. Business Insider then discovered that if you did enter your email password, a message popped up saying it was “importing” your contacts, without asking for permission first.

At the time, it wasn’t clear what was actually happening — but a Facebook spokesperson has now confirmed that 1.5 million people’s contacts were collected this way, and fed into Facebook’s systems, where they were used to build Facebook’s web of social connections and recommend friends to add. It’s not immediately clear if these contacts were also used for ad-targeting purposes.

facebook authentication
The “importing contacts” dialogue box in question. Screenshot/Rob Price

 

Facebook says that prior to May 2016, it offered an option to verify a user’s account and voluntarily upload their contacts at the same time. However, Facebook says, it changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not. Facebook didn’t access the content of users’ emails, the spokesperson added.

The incident is the latest privacy misstep from the beleaguered technology giant, which has lurched from scandal to scandal over the last two years.

Facebook now plans to notify the 1.5 million users affected over the coming days, and delete their contacts from the company’s systems.

Facebook’s full statement, per a spokesperson:

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

As reported by Business Insider