Exclusive: Facebook said that it has "unintentionally uploaded" the email contacts of 1.5 million new Facebook users since May 2016.

A security researcher recently noticed Facebook was asking some new users to provide their email passwords when they signed up — a move widely condemned by security experts.

Business Insider then discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without asking for permission first.

Facebook has now revealed to Business Insider that it "unintentionally" grabbed 1.5 million users' data, and is now deleting it.

Visit BusinessInsider.com for more stories.

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.

The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without asking for permission first.

At the time, it wasn't clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people's contacts were collected this way and fed into Facebook's systems, where they were used to improve Facebook's ad targeting, build Facebook's web of social connections, and recommend friends to add.

Read more: How to contact Facebook for problems with your account and other issues

A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.

Facebook didn't access the content of users' emails, the spokesperson added. But users' contacts can still be highly sensitive data — revealing who people are communicating with and connect to.

While 1.5 million people's contact books were directly harvested by Facebook, the total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions, as people sometimes have hundreds of contacts stored on their email accounts. The spokesperson could not provide a figure for the total number of contacts obtained this way.

Users weren't given any warning before their contact data was grabbed

The screenshot below shows the password entry page users saw upon sign up. After they entered their password and clicked the blue "connect" button, Facebook would begin harvesting users' email contact data without asking for permission.

After clicking the blue "connect" button, a dialog box (screenshot below) popped up saying "importing contacts." There was no way to opt out, cancel the process, or interrupt it midway through.

Business Insider discovered this was happening by signing up for Facebook with a fake account before Facebook discontinued the password verification feature. In our test, after the authentication loading screen finished, a new box popped up saying it didn't find any contacts, and then took us to the homescreen of the social network.

A user might have been able to infer from this that their contacts were being accessed — but there was no way to stop it happening, or advance notice ahead of time.

From one crisis to another

The incident is the latest privacy misstep from the beleaguered technology giant, which has lurched from scandal to scandal over the past two years.

Since the Cambridge Analytica scandal in early 2018, when it emerged that the political firm had illicitly harvested tens of millions of Facebook users' data, the company's approach to handling users' data has come under intense scrutiny. More recently, in March 2019, the company disclosed that it was inadvertently storing hundreds of millions of users' account passwords in plaintext, contrary to security best practices.

Facebook now plans to notify the 1.5 million users affected over the coming days and delete their contacts from the company's systems.

"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account," the spokesperson said in a statement.

"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."

Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.

Read more: