Since May 2016, the social-networking company Facebook confirmed it had collected the contact lists of 1.5 million users new to the social network, it revealed, adding that contacts were "unintentionally uploaded to Facebook," and it is now deleting them.
The revelation comes after pseudonymous cyber-security expert e-sushi detected that Facebook was requesting some users to enter their email passwords when they signed up for new accounts to verify their identities.
It was further discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without initially asking for permission.
READ MORE: Facebook User Data Scandal Shows 'We Are the Product' — Cybersecurity Firm CEO
A Facebook spokesperson confirmed that before May 2016, it offered an option to verify a user's account and voluntarily upload their contacts at the same time. However, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted, while the underlying functionality was left intact. Facebook didn't access the content of users' emails, the spokesperson added.
In its statement, via a spokesperson, Facebook said:
“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts, we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings”.
The social media giant harvested the emails of the users without their consent. These emails were taken at the time of these users signing up on the platform.https://t.co/U58DI1yvL4
— The Quint (@TheQuint) April 18, 2019
Facebook has now announced plans to notify the 1.5 million affected users over the coming days and delete their contacts from the company's systems.
READ MORE: How to Buy Influence and Lose Friends
Facebook's history of securing user privacy has been far from pristine: 2018 saw the tech giant embroiled in a scandal after it was revealed that a London-based political consultancy firm, Cambridge Analytica, had used the personal information of millions of users without their consent, with Facebook confessing to have been aware of the breach since 2015.
