Facebook has admitted to access and store email contacts of up to 1.5 million of its users without their consent. Business Insider reports that between May 2016 and last month, the social networking platform asked some of its new users to verify their email address by providing the password in their email account. After doing so, user contacts will be imported automatically, without any option for the user to be excluded.
Responding to the report, a Facebook spokesperson told Business Insider that the email contacts were "unintentionally uploaded" as part of the process. They said that these contacts had never been shared with anyone and that the company is now eliminating the contacts that were loaded. Facebook also claims to have solved the "underlying problem" that led to the problem.
Email verification is a standard practice for online services, but Facebook handled it in a very different way. Typically, when you sign up for a new service, you are asked to provide an email address, which then receives an email with a link in which you must click manually to verify that the email account belongs to you.
Instead, what Facebook did was for users to verify that they had an email account by submitting their password to Facebook. "To continue using Facebook, you must confirm your email address", read the page that asks for the user's email password.
Technically, users did not have to go through this process, but The Daily Beast  notes that the more traditional verification options of the service were hidden behind a link "Do you need help?" which is below the password box of the email. Users could also check their account with a code sent to their phone.
Before May 2016, Facebook would still load a user's contacts if they provided the password for their email account. However, that month, Facebook eliminated the message informing users that this load was going to take place, but it did not stop the load.
In the small print below the password box, Facebook stated that it would not. store the password entered as part of this process. However, the social network, which has not had a security director since August of last year, has had problems in complying with its security obligations. Last month, it emerged that the platform had stored hundreds of millions of passwords in plain text, and in the past it also used phone numbers provided for security verification purposes to target users with advertisements.
Facebook said that it is notifying anyone whose contacts have been uploaded to the service in the coming days.