"unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years.
The activity came to light when a security researcher noticed that Facebook was asking users to enter their email passwords to verify their identities when signing up for an account, according to Business Insider, which previously reported on the practice. Those who did enter their passwords then saw a pop-up message that said it was "importing" their contacts -- without first asking permission, BI reported.
A Facebook spokesperson confirmed that 1.5 million people's contacts were collected in this manner since May 2016 to help build Facebook's web of social connections and recommend other users to add as friends.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," a Facebook spokesperson said. "When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.
"We've fixed the underlying issue and are notifying people whose contacts were imported," Facebook said, adding that the contacts weren't shared with anyone and are being deleted. It also pointed out that users can review and manage the contacts they share with Facebook in their settings.
As the world's largest social network, Facebook controls data on more than 2 billion people, and who has access to it. The company's data handling practices were called into question in the wake of the Cambridge Analytica scandal, during which the personal information on up to 87 million Facebook users was improperly accessed.