Facebook has accepted that it has penetrated and stored the email contacts of as many as 1.5 million of its users without their approval and used the data to build a network of their social connections. According to Business Insider, Facebook began collecting the contact lists in May 2016 when new users opened a new account on the social network. Surprisingly, the social media platform has asked some of its new members to confirm their email address by email password verification, a method security experts widely condemned. After entering the password, a pop-up message would appear acknowledging that it was “importing” their contacts, without even asking their consent to do so.

These contacts were then fed into Facebook’s database systems and used to build a web of users’ social links and inform recommended friends on the social network.

Facebook Thumbs Down

A Facebook spokesperson countering the reports told Business Insider that email contacts were “unintentionally uploaded” as part of the procedure though these contacts have never been shared with anyone. It also said that before May 2016, it proposed an option to verify a user’s account and voluntarily upload their contacts at the same time. However, the feature was altered and the text informing users that their contacts would be uploaded was deleted, but the underlying functionality was not. However, Facebook says at no point did it access the content of users’ emails.

Facebook also claims to have fixed the “underlying issue” that led to the problem, and it is now deleting the contacts that were uploaded.

Email verification is standard practice for online services. This usually asks you to provide an email address when signing up for a new service, followed with an email that contains a link to the address. Then, you have to manually click the link to verify the email account that belongs to you. On the contrary, what Facebook did was another story. It asked users to prove that they owned an email account by handing over their password to Facebook. “To continue using Facebook, you’ll need to confirm your email address” read the page asking for a user’s email password. Users didn’t technically have to go through this process, but The Daily Beast notes that the service’s more conventional verification options were concealed behind an undistinguished “Need help?” link located below the email password box. Users could also verify their account with a code sent to their phone.

Needless to say that after looking at the long list of blunders and violations, it seems that Facebook had had its chips in privacy. In March, for example, it appeared that between 200 and 600 million Facebook users might have had their account passwords stored in plain text in a database accessible to 20,000 Facebook employees. Some Instagram passwords were also included.

To fuel the controversy, cybersecurity researchers had discovered millions of Facebook records publicly accessible on Amazon’s cloud servers, after the data was uploaded by third-party companies that work with Facebook, earlier this month. In yet another development just this week, over 4,000 pages of documents from 2011 to 2015 were leaked which provide insight into how Facebook took advantage of user data while publicly promising to protect user privacy before and after its 2015 move to end broad access to user data.

However, nothing more can be expected from a social networking company that hasn’t had a chief security officer since August of last year, has previously had problems keeping to its security obligations.