Facebook Says 1.5 Million Users Impacted in New Email Privacy Scandal—How to Find Out If You Are One of Them

Mark Zuckerberg
Mark Zuckerberg, chief executive officer and founder of Facebook attends the Viva Tech startup and technology gathering at Parc des Expositions Porte de Versailles on May 24, 2018, in Paris. Facebook admitted to having taken email address books from users without their consent. Christophe Morin/IP3/Getty Images

Facebook has pledged to delete a huge trove of email data harvested from more than 1 million new users since 2016, saying the data was "unintentionally uploaded" to the company.

Business Insider first reported that the Mark Zuckerberg-led social network had admitted to having taken email address books from users without their consent. The ingested data was used to help improve internal systems, including targeted advertising and account connections.

According to the company, the issue stemmed from a feature that was designed to let users upload their email contacts when they signed up to help them find friends on the platform. When the feature was changed in May 2016, language telling users their contacts would be uploaded to Facebook was removed in error—but the process remained active.

Earlier this month, The Daily Beast reported that the website had asked new users to hand over email account passwords when signing up to the platform—a big cybersecurity no-no. Now, Facebook has confirmed that about 1.5 million people were affected in this latest privacy scandal.

The privacy issue was discovered by cybersecurity researcher Mike Edward Moras, who tweeted about it on March 31. He raised concerns that a "see how it works" feature was not clickable at the time.

How to Check If You Were Caught in the Facebook Email Privacy Error

Users are potentially affected by the error if they signed up for an account between May 2016 and April 2019. If data was taken, users will likely receive a notification within the next week, Business Insider reported. Experts suggested that any passwords that were uploaded should now be changed.

"This is then an example of a Facebook development team determining that an implementation to provide new users with a rich list of friends outweighs the privacy implications," said Tim Mackey, a senior technical expert at Synopsys, a U.S. cybersecurity company.

"Facebook has not disclosed the full extent such access might grant, nor have they provided any indication of how harvested emails might be used," Mackey added.

"I would recommend any concerned user who has signed up with Facebook since May 2016 immediately change their email password and then submit a request to Facebook for a detailed accounting of precisely what data was accessed and how that data was used."

Business Insider reported that Facebook's claim of 1.5 million affected users was likely on the low side, because most people will have dozens, or even hundreds, of contacts linked to an email account. In total, there could be dozens or hundreds of millions of people affected, the outlet noted.

Facebook told Newsweek: "Earlier this month, we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time.

A spokesperson continued: "When we looked into the steps people were going through to verify their accounts, we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account.

"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them.

"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."