Facebook admits to having collected 1.5 million email contacts without consent

Facebook admitted to having accessed and stored the email contacts of 1.5 million users without its consent. Internal business reports that between May 2016 and last month, the social media platform has asked some of its new users to check their email address by providing the password to their email account. After that, the contacts of the users would be automatically imported, without any option for the user to unsubscribe.

In response to the report, a Facebook spokesman said Internal business that the email contacts were "unintentionally downloaded" as part of the process. They stated that these contacts had not been shared with anyone and that the company was now deleting the downloaded contacts. Facebook also claims to have solved the "underlying problem" at the root of the problem.

Email verification is a standard practice for online services, but Facebook has treated it in a very different way. Usually, when you sign up for a new service, you are asked to provide an email address, which then receives an email with a link that you must manually click to verify that the email account belongs to you.

Instead, Facebook asked users to check that they had an email account by giving them their password to Facebook. "To continue using Facebook, you must confirm your e-mail address", read the page requesting the password e-mail of a user.

Users did not have to technically go through this process, but The daily beast note that the more traditional verification options of the service were hidden behind an indefinable link "Need help?" located under the password area of ​​the e-mail. Users can also check their account with a code sent to their phone.

Prior to May 2016, Facebook was still downloading a user's contacts if he provided the password for his email account. However, this month, Facebook removed the message informing users that this download was going to take place, but did not prevent it from happening.

In small print, displayed under the password box, Facebook said it would not store the password entered as part of this process. However, the social network, which no longer has a security officer since August last year, has already struggled to meet its security obligations. Last month, it appeared that the platform had stored hundreds of millions of plain text passwords. Previously, she also used phone numbers provided for security verification purposes to target ad users.

Facebook said it was notifying anyone whose contacts had been uploaded to the service over the next few days.