Social networking giant Facebook said on Wednesday evening it may have “unintentionally uploaded” the email contacts of up to 1.5 million users on its site, without their permission or knowledge, when they signed up for new accounts since May 2016.
Users affected by that incident were not just limited to the United States, according to a source familiar with the matter.
Those contacts were not shared with anyone and Facebook is deleting them, a company spokesperson told CNBC.
“We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage contacts they share with Facebook in their settings,” the spokesperson said.
Business Insider first reported the news and said a security researcher noticed the tech giant was prompting some users to type in their email passwords when they opened an account to verify their identity.
Facebook said it used to have a step in the account verification process where some users had the option to confirm their email address and voluntarily import their email contacts onto the site. The feature was meant to help them find their friends more effectively and improve ads, according to the company.
That process was redesigned in May 2016. While the language, which explained the step, was removed, the feature itself was not, Facebook said. Hence, email contacts were still being uploaded to the site without users being aware of that fact.