The New York Attorney General's office is investigating Facebook for harvesting 1.5 million users' email contact data without their consent.

Business Insider revealed the practice earlier this month, which Facebook says was unintentional.

The company is facing mounting legal and regulatory scrutiny over its privacy and security practices.

Visit Business Insider's homepage for more stories.

The New York attorney general's office is launching an investigation into Facebook for harvesting 1.5 million users' email contact data without their consent, after the practice was revealed by Business Insider last week.

On Thursday, Attorney General Letitia James said she and her office would look into how Facebook has handled users' personal data. The existence of the investigation was first reported by The New York Times.

"We're in touch with the New York State attorney general's office and are responding to their questions on this matter," a spokesperson for Facebook told Business Insider.

Earlier in April, Business Insider reported that after asking some users for their email account passwords when they signed up for the social network, it would then access their email accounts without permission and scoop up users' contact books, using the data for ad-targeting purposes and to build out its web of social connections.

This took place from May 2016 onwards, and 1.5 million users were affected. Facebook says it was an accident, and that it previously notified users it would access their contact data — but that a change to its systems inadvertently removed this warning while leaving the underlying functionality intact.

In a statement, the New York Attorney General said:

"It is time Facebook is held accountable for how it handles consumers' personal information. Facebook has repeatedly demonstrated a lack of respect for consumers' information while at the same time profiting from mining that data. Facebook's announcement that it harvested 1.5 million users' email address books, potentially gaining access to contact information for hundreds of millions of individual consumers without their knowledge, is the latest demonstration that Facebook does not take seriously its role in protecting our personal information."

Facebook has battled through two years of scandals, from Cambridge Analytica's misappropriation of tens of millions of users' personal data to its role spreading hate speech that fueled genocide in Myanmar, and it is now facing mounting repercussions.

The Federal Trade Commission (FTC) is drawing close to reaching a settlement with the social network over privacy issues that Facebook expects to be a record-breaking $3 to $5 billion — though this didn't seem to turn away investors. And On Thursday, Canada also said it believed Facebook had broken the law, and plans to take it to court to force it to change its practices. The Irish Data Protection Commission, an EU data watchdog, had also said it is in contact with Facebook and is considering its next steps.

Experts have told Business Insider that they believe Facebook's actions in harvesting the 1.5 million users' email contact data may be illegal — suggesting it could violate the 2011 FTC consent decree, EU data privacy law GDPR, and potentially even the Computer Fraud and Abuse Act (CFAA). A Facebook spokesperson previously declined to comment on the legality of the company's actions.

Do you work at Facebook? Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.