Facebook admitted on Thursday that it had uploaded the email contacts of 1.5 million users without their knowledge or consent, in the latest revelation about user data compromised by the social media giant.
The company also admitted that it stored the passwords of millions of Instagram users in unencrypted plain text that could be viewed by employees – the company had previously said only tens of thousands of users were impacted.
"Since May 2016, the social-networking company has collected the contact lists of 1.5 million users new to the social network," Business Insider first reported on Wednesday.
Facebook confirmed Business Insider’s reporting in a written statement.
“Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time,” a spokesperson for the company wrote. “When we looked into the steps people were going through to verify their accounts we found that in some cases people's email contacts were also unintentionally uploaded to Facebook when they created their account."
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them. We've fixed the underlying issue and are notifying people whose contacts were imported," the statement said.
Facebook had been criticized for years for how the company stores and shares user data. This latest revelation drew more outcry.
"Collecting username and passwords for other services from users under the pretext of security, then using that information to login, download, and use users’ contacts for the purpose of advertising is a clearcut deceptive practice,” Ashkan Soltani, a privacy and security expert who served as a chief technologist of the Federal Trade Commission told ABC News. “The dialogues under which the users' information is collected makes no mention that the users' information will be downloaded (it only says for security) -- and there is no way to stop/delete the uploaded contacts."
Soltani added that the company is already being investigated by regulators for deceptive practices. Facebook is facing multiple investigations for data privacy and security in Europe.
Separately, the company has quietly updated a previous post on its blog from March 21, announcing that the number of users who had their passwords stored in plain text without encryption was much higher than previously reported.
In the original March post, Pedro Canahuati, Facebook’s vice president of engineering, security and privacy wrote that the unencrypted password storage affected "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users."
On Thursday, the company updated the post to say "we now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others."