Social media giants, Facebook on Wednesday confirmed that it “unintentionally uploaded” the email contacts of some 1.5 million users without their express consent since May 2016, a mistake for which the company is taking steps to correct, a report by Appleinsider reveals.
A security researcher discovered the apparent error after finding Facebook requesting some users provide both an email and corresponding password to verify their identity when opening a new account, reports Business Insider.
Upon entering the information, the social network automatically imported contacts stored on an email provider’s servers. The report suggests Facebook logged in to customer email accounts, pulled contact information and stored that data without first asking consent.
In a statement to the publication, Facebook said the email upload mechanism is a vestige of a bygone user experience feature. Prior to May 2016, a one-step sign-up process allowed users to both verify their identity and upload email contacts to the network. That service, along with text notifying users of the feature, were deprecated, but the automated contact upload function was not.
Facebook estimates up to 1.5 million users were impacted by the flaw.
“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” a spokesperson said. “When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account.”
In confirming the error, Facebook noted no contacts were shared and that it is in the process of deleting the gathered information. Users whose contacts were imported are being informed of the error.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings,” the spokesperson said.