Facebook has collected the contact lists of 1.5 million users without their knowledge since May 2016.
It used the private data for ad targeting, building Facebook’s web of social connections and recommending friends to add, Business Insider reported.
A security researcher noticed the social-networking company asking for their email passwords when they signed up – a move widely condemned by experts. If someone entered their email password, a message popped up saying it was importing their contacts without permission.
A pseudonymous security researcher e-sushi took to Twitter to bring attention to the problem. He saw Facebook was asking him to enter his email password to verify his identity when he signed up for a new account.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you’re practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l
— e-sushi (@originalesushi) March 31, 2019
The company said the contact data was “unintentionally uploaded to Facebook,” and it is now deleting them.