Facebook hoovered up 1.5 million users’ email contacts without permission… “unintentionally”

Whoops, they did it again.

Facebook may have hoovered up 1.5 million users' email contacts without permission

For such an allegedly smart company, Facebook doesn’t half do some dumb things.

Kudos to the team at Business Insider who were as bewildered as the rest of us as to why Facebook was asking some users to hand over the password of their email account, but also noted that the site appeared to then be scooping up users’ address books without requesting prior permission.

Facebook may have hoovered up 1.5 million users' email contacts without permission
As security-savvy folks around the world reacted with a mixture of shocked headlines and shrugs of resignation (this was Facebook, after all), the social network said that it would be discontinuing the feature.

Sign up to our free newsletter.
Security news, advice, and tips.

Business Insider, however, went one step further and asked Facebook just how many users had their email contacts uploaded through the mechanism.

Facebook’s response to the question from Business Insider is rather shocking – up to 1.5 million users.

“Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.”

Considering how many names and addresses the typical person has in their email address book, that could mean that Facebook stole (Yes, it was stealing. They didn’t have permission) the contact details of hundreds of millions of people.

I wonder how the authorities and regulators might view Facebook’s lax behaviour around its users’ private data. And I wonder if Facebook would even have admitted the details of what happened if they hadn’t been pressed by journalists.

And if Facebook can “unintentionally” make a huge mistake like this, I wonder what other unintentional boo-boos it can make.

And how much longer people will put up with it.

Remember, if security researchers and journalists hadn’t pointed out this problem, Facebook would still be doing it. Who wants to make a bet as to when the next Facebook privacy scandal pops up?

We put together a “Smashing Security” podcast where we describe how to quit Facebook and offer some techniques for people who are fearful of going cold turkey.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.