Facebook has admitted that it “unintentionally” mined the email contacts of 1.5 million users without their permission or knowledge.


The data breach occurred over a period of three years when Facebook asked new users to supply the password for their email account in order to verify their identity. Once users did this, the company copied the listed contacts of these accounts.

Prior to May 2016, new users were notified about this and asked if they wanted to upload their address book or not. This notification was scrapped, but the underlying code that enabled this access to happen remained in place.

The mechanism is believed to have been used to improve targeted advertisements, and map social connections between individuals. This has resulted in a more relevant ‘People you may know’ section which has led many to wonder how Facebook knows there is a connection with these people.


The revelation came after a security researcher revealed the email password request, a mechanism usually frowned upon in the field of data security. It was then reported that upon entering a password, a user was simply told contacts were being imported from an email account, without first asking permission to do this.

Facebook subsequently disclosed the “unintentional” issue publicly to Business Insider, and informed them that it will delete the mined contacts. The company also confirmed this issue did not allow them to actually read users’ emails.


It is reported that the New York Attorney General’s office is launching an investigation into the matter, and into Facebook’s data practices in general, stating that the social network should be “held accountable for how it handles consumers’ personal information”.

The Irish Data Protection Commission is also said to be investigating the company over the matter given how this is a potential breach of the GDPR.


This incident is just another in a long line of the social media company’s mistakes around use of its users’ data and unsafe data practices and Facebook have already stated their intention to reserve $3 billion to cover the costs for fines which may be due under various privacy investigations, which may run into $5 billion.