This article is more than 1 year old

Facebook: Yeah, we hoovered up 1.5 million email address books without permission. But it was an accident!

So that's all OK then

Facebook has admitted to harvesting email contacts from 1.5 million people without permission.

Since May 2016, Facebook collected all email contacts when some new users signed up to the antisocial network.

An anonymous security researcher, who sports the handle e-sushi on Twitter, first noticed that the company was asking some new users to enter their email passwords to verify their identities, a deeply anti-security request even on its own. Business Insider then spotted that if you did this a dialogue box popped up warning you – with no chance to cancel, pause or opt out – that it was importing all your contacts.


DON’T add me to your social network, I have NO IDEA who you are


The company has now admitted that the emails were collected, analysed, used for ad targeting and to push its add-a-friend feature.

Facebook said that before May 2016 it had offered an option to voluntarily upload all contacts while using your email password for verification. It then changed the text informing users of what was happening but neglected to remove the functionality which sucked up the contacts.

The company said it didn't read the contents of the emails and that the actual contacts were "inadvertently uploaded".

Business Insider pointed out that the total number of people affected likely runs into tens or even hundreds of millions because each address book could contain hundreds of email addresses.

Facebook said: "Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account."

The company said "up to 1.5 million people's email contacts may have been uploaded".


Facebook's at it again: Internal emails show it knew about Cambridge Analytica abuse 'months' before news broke


It is notifying users and deleting the illegally collected details.

The UK's Information Commissioner's Office referred queries to Ireland's Data protection office – The Reg is still are waiting for a response. We also asked Facebook if the contacts were stored securely or in plain text, but have not heard back

The UK's data protection watchdog last year chucked Facebook, Cambridge Analytica, universities and political parties into the dog house as it condemned a "disturbing disregard" for personal privacy across the system.

This is just the latest in a string of screw-ups by the company. Last month it emerged that top management knew about Cambridge Analytica's shenanigans at least four months before the story hit the news. Facebook previously claimed, and testified in court, that it was completely unaware until alerted by the media.

The ad giant made revenues of over $55.8bn in 2018, up 37 per cent from $40.6bn in 2017. It had 1.52 billion daily active users, up 9 per cent on the year before. ®

More about


Send us news

Other stories you might like