Facebook "unintentionally" harvested data from the email accounts of up to 1.5 million of its users, the social network said Wednesday.
In a statement, Facebook admitted collecting contact information from the digital address books of users who provided the social network with their email addresses and matching passwords.
Facebook had made new users verify their identity by providing the company with an email address and corresponding password, effectively daring them to defy a basic cybersecurity practice that raised concerns upon being reported last month.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account," a Facebook spokesperson said in the statement.
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings," the statement said.
Business Insider first reported Facebook's collection of email contacts. A pseudonymous Twitter user known online as "e-sushi" first drew attention last month to the company's requests for third-party user credentials.
"Hey @facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a HORRIBLE idea from an #infosec point of view," they tweeted. "By going down that road, you're practically fishing for passwords you are not supposed to know!"
Ashkan Soltani, a former chief technology officer for the Federal Trade Commission, predicted possible regulatory consequences for Facebook, meanwhile.
"I concur that this is one of the most legally actionable behaviors by @facebook to date," Mr. Soltani tweeted. "I'm confident regulators will be taking a look."
Facebook begun collecting users' email data without their permission in May 2016, Business Insider reported.
A company spokesperson was unable to put a total number on the people who had their contact information amassed as a result, the report said.