A report by Business Insider has revealed that Facebook ‘unintentionally’ uploaded the email contacts after asking some users to email passwords when signing up to the site as a way of verifying their identity
A worrying new report has revealed that Facebook harvested the email contacts of more than 1.5 million users who joined the platform since 2016 – without their consent
The report, by Business Insider, revealed that Facebook ‘unintentionally’ uploaded the email contacts after asking some users to email passwords when signing up to the site as a way of verifying their identity.
This practice has been widely criticised by security experts.
According to the report, users who did enter their password then saw a pop-up message telling them their contacts were being imported to Facebook, without asking for permission to do so first.
The incident is the latest in a growing list of data privacy breaches to hit the social network.
Facebook said the flaw had been caused by a feature which had enabled users to confirm their account and import their email contacts at the same time; however, a redesign in 2016 had removed some of the language which explained this but was still uploading contacts in some cases.
"Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a spokeswoman said.
"When we looked into the steps people were going through to verify their accounts we found that in some cases peoples email contacts were also unintentionally uploaded to Facebook when they created their account.
"We estimate that up to 1.5 million peoples email contacts may have been uploaded. These contacts were not shared with anyone and wre deleting them.
"Weve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."
Facebooks acknowledgement of the issue comes after concerns were raised by security researchers earlier this month.
Security expert Bennett Cyphers, from the Electronic Frontier Foundation, said "for all intents and purposes, this is a phishing attack" and labelled the process "downright irresponsible".