Facebook has admitted that it "unintentionally" uploaded email contacts of as many as 1.5 million users without their permission, in the social network's latest privacy blunder.
The company said the issue stemmed from a design change to its step-by-step verification process for users setting up an account, made three years ago.
It meant that, when users signed up to Facebook using their email address and password, they were not always aware that their email contacts were being uploaded to the site.
Facebook said the contacts had not been "shared with anyone and we're deleting them".
"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," a spokesman for the company told Business Insider.
Facebook had earlier this month stopped asking for users' email passwords when they set up accounts, halting its practice of offering email password verification as an option for those signing up for new accounts after coming under fire from security experts.
Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view. By going down that road, you're practically fishing for passwords you are not supposed to know! pic.twitter.com/XL2JFk122l— e-sushi (@originalesushi) March 31, 2019
Some had cautioned it could prompt people to engage in "risky" behaviour online, leaving them open to "phishing" attacks where their personal information can be stolen.
Susan Hall, a partner at law firm Clarke Willmott, said: "Not only are the regulators on both sides of the Atlantic going to be looking at this, Facebook’s shareholders must be seriously worried about the financial and reputational harm the latest revelation is going to create.
It is far from the first time Facebook has faced criticism from privacy advocates and, last week it bowed to demands to clarify its user terms and conditions, following claims the terms of service were "misleading" and that it was not transparent enough over how it used personal data.
At the time, the company had said it had been working hard recently on better explaining how Facebook works, including the data it collected and how that data is used.
It also admitted recently that a glitch in its system had exposed the passwords of millions of users to staff internally, although said it had since fixed the error.
And, last year, it became embroiled in the Cambridge Analytica scandal, in which the data of 87m of its users was harvested for political purposes. Facebook later said it was making changes to better protect user data.