Facebook harvested 1.5 million user email contacts without permission

The “unintentional uploads” have taken place since 2016.
Written by Charlie Osborne, Contributing Writer

Facebook "unintentionally" uploaded and stored email contact information belonging to roughly 1.5 million users over the course of three years.

The issue came to light after a security researcher notified the social media giant of a controversial verification system implemented for some users, in which they were asked to provide their email address credentials.

A practice woeful in itself and one that Facebook said that in hindsight was "not the best way" to go about verification, despite the company's promise to stop asking for these details, the security ramifications, it seems, went even deeper than first reported.

According to Business Insider, some of the users attempting to sign up for the first time who were asked for their email credentials would also see a pop-up message which notified the individual that their email contacts were being "imported" for the purposes of building up social connections.  

See also: Facebook bolsters bug bounty program with rewards for user token exposure

Asking for the key to an email account for verification purposes on a third-party domain is bad enough and is not recommended in the interests of security. However, harvesting contact data contained in these accounts -- without consent -- is even worse.

A Facebook spokesperson said roughly 1.5 million users were involved and the upload of such information first began in May 2016.

Impacted users will be notified over the coming days and the social network is actively deleting their email contact information from internal systems.

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," the spokesperson said. 'When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account."

TechRepublic: How criminals use fraud guides from the Dark Web to scam organizations and individuals

The Facebook representative added that the contacts were not shared with anyone and the "underlying issue" has been fixed.

Since the Cambridge Analytica scandal broke in 2018, in which the data of roughly 87 million users was harvested for the purposes of voter profiling, story after story has broken related to Facebook's security failures and lackluster data protection practices.

In recent months alone, the social network has faced criticism for lax API control which created broad and loose user data sharing systems with other companies; a secretive Facebook research scheme which paid teenagers for extensive access to their mobile activity and surfing habits was exposed; Facebook admitted to storing hundreds of millions of Facebook, Facebook Lite and Instagram credentials in plain text, and UK regulators slammed the company as a "digital gangster" which puts profit "before anything else."

CNET: Microsoft rejected facial recognition sales out of concern about misuse

In a more amusing mishap, however, Facebook's virtual reality arm Oculus said this week that it has accidentally shipped controllers with easter egg messages such as "Big Brother is Watching."

Facebook's worst privacy scandals and data disasters

Previous and related coverage

Editorial standards