Facebook has admitted to “unintentionally” uploading the address books of 1.5 million users without consent, and says it will delete the collected data and notify those affected.

The discovery follows criticism of Facebook by security experts for a feature that asked new users for their email password as part of the sign-up process. As well as exposing users to potential security breaches, those who provided passwords found that, immediately after their email was verified, the site began “importing” contacts without asking for permission, writes The Guardian. 

Facebook has now admitted it was wrong to do so, and said the upload was inadvertent. “Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” the company said.

“When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account,” a spokesperson said. “We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

The issue was first noticed in early April, when the Daily Beast reported on Facebook’s practice of asking for email passwords to verify new users. The feature, which allows Facebook to automatically log in to a webmail account to effectively click the link on an email verification itself, was apparently intended to smooth the workflow for signing up for a new account.

But security experts said the practice was “beyond sketchy”, noting that it gave Facebook access to a large amount of personal data and may have led to users adopting unsafe practices around password confidentiality. The company was “practically fishing for passwords you are not supposed to know”, according to cybersecurity tweeter e-sushi, who first raised concern about the feature, which Facebook says has existed since 2016.

At the time, Facebook insisted it did not store email passwords but said nothing about other information gathered in the process. Shortly after, Business Insider reported that, for users who entered their passwords, Facebook was also harvesting contact details – apparently a hangover from an earlier feature that Facebook had built expressly to take contacts with permission – except in this new implementation, users had not given consent.

The company said those contacts were used as part of its People You May Know feature, as well as to improve ad targeting systems. While it has committed to deleting the uploaded contacts, it is not immediately clear whether it will delete the information it inferred from those uploaded contacts – or even whether it is able to do so. Facebook did not immediately reply to a query from the Guardian.