Facebook unintentionally uploaded 1.5 million users email contacts

Facebook harvested the email contacts of 1.5 million users without their knowledge or consent when they opened their accounts.

Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network, Business Insider can reveal. The Silicon Valley company said the contact data was "unintentionally uploaded to Facebook," and it is now deleting them.

The revelation comes after pseudononymous security researcher e-sushi noticed that Facebook was asking some users to enter their email passwords when they signed up for new accounts to verify their identities, a move widely condemned by security experts. Business Insider then discovered that if you entered your email password, a message popped up saying it was "importing" your contacts without asking for permission first.

At the time, it wasn't clear what was happening — but on Wednesday, Facebook disclosed to Business Insider that 1.5 million people's contacts were collected this way and fed into Facebook's systems, where they were used to improve Facebook's ad targeting, build Facebook's web of social connections, and recommend friends to add.

A Facebook spokesperson said before May 2016, it offered an option to verify a user's account using their email password and voluntarily upload their contacts at the same time. However, they said, the company changed the feature, and the text informing users that their contacts would be uploaded was deleted — but the underlying functionality was not.

Facebook didn't access the content of users' emails, the spokesperson added. But users' contacts can still be highly sensitive data — revealing who people are communicating with and connect to.

While 1.5 million people's contact books were directly harvested by Facebook, the total number of people whose contact information was improperly obtained by Facebook may well be in the dozens or even hundreds of millions, as people sometimes have hundreds of contacts stored on their email accounts. The spokesperson could not provide a figure for the total number of contacts obtained this way...

Read more: Facebook uploaded 1.5 million users email contacts without permission - Business Insider

 

[Brink]

(Update on April 18, 2019 at 7AM PT: Since this post was published, we discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others. Our investigation has determined that these stored passwords were not internally abused or improperly accessed).

Read more: Keeping Passwords Secure | Facebook Newsroom