Facebook has admitted that it "unintentionally" uploaded email contacts of as many as 1.5 million users without their permission, in the social network's latest privacy blunder.

The company said the issue stemmed from a design change to its step-by-step verification process for users setting up an account, made three years ago.

It meant that, when users signed up to Facebook using their email address and password, they were not always aware that their email contacts were being uploaded to the site.

Facebook said the contacts had not been "shared with anyone and we're deleting them".

"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," a spokesman for the company told Business Insider.

Facebook had earlier this month stopped asking for users' email passwords when they set up accounts, halting its practice of offering email password verification as an option for those signing up for new accounts after coming under fire from security experts.