Facebook “unintentionally” uploaded the email contacts of more than 1.5 million users without asking permission to do so, the social network has admitted.
The data harvesting happened via a system used to verify the identity of new members.
Facebook asked new users to supply the password for their email account, and took a copy of their contacts.
Facebook said it had now changed the way it handled new users to stop contacts being uploaded.
All those users whose contacts were taken would be notified and all the contacts it had grabbed without consent would be deleted, it said.
The information grabbed is believed to have been used by Facebook to help map social and personal connections between users.
Contacts started being taken without consent in May 2016, the company told Business Insider, which broke the story.
Before this date, new users were asked if they wanted to verify their identity via their email account. They were also asked if they wanted to upload their address book voluntarily.
This option and the text specifying that contacts were being grabbed was changed in May 2016 but the underlying code that actually scraped contacts was left intact, said Facebook.
Ireland’s Data Protection Commissioner, which oversees Facebook in Europe, is engaged with the firm to understand what happened and its consequences.