In early April, Facebook came under fire for asking some users for their email password when signing up to the social network. Now it turns out Facebook has been uploading the email contacts of users without consent since 2016.

As Business Insider reports, Facebook admitted that it "unintentionally uploaded" the email contact lists of 1.5 million users since May 2016. This is related to the discovery in early April that users signing up to Facebook using certain email account providers, such as Yandex or GMX, were being asked for their email password as part of the verification process.

It was suspected that Facebook collected the contact list associated with each account, not least because a message stating contacts were being imported popped up after entering your email password. Now we have confirmation from Facebook those contact were stored.

Here's Facebook's statement as provided to Business Insider:

Facebook changed the verification process in 2016 and that's when the mistake happened. Prior to May 2016 users were given the option to voluntarily import contacts to their Facebook account, however, that option then disappeared, but the import functionality remained and the contact importing happened automatically.

The collected email contacts have been integrated into Facebook's system, meaning they were used to establish social connections and could have also been used for ad targeting, but that remains unclear. So even if your contacts aren't on Facebook, the social network already knows about them in limited form.

If you did provide your email password when signing up to Facebook, chances are the social network grabbed all your contacts. You'll know for sure soon enough as Facebook is set to contact affected users as well as deleting all the contacts it imported without consent.

This article originally appeared on PCMag.com.