These contacts were not shared with anyone and we're deleting them.
Facebook "unintentionally" harvested the email contacts of about 1.5 million of its users during the past three years. Changes in May 2016, however, allowed the contact lists of about 1.5 million users to be uploaded to Facebook without users' knowledge.
Facebook did not respond to Reuters request for comment outside regular business hours.
"The mistake has been rectified and affected users are being informed, " Facebook added.
Facebook has been embroiled in another password-related mess. People can also review and manage the contacts they share with Facebook in their settings. Regardless of the intent behind this action, Facebook still admitted that it used the collected contacts to to improve its ad targeting capabilities.
All those users whose contacts were taken would be notified and all the contacts it had grabbed without consent would be deleted, it said.
In late March, security researchers expressed concern about this phishing-like approach by Facebook.
"Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time", the Facebook spokesperson was quoted as saying.
But in May 2016, Facebook removed language that explained users' contact lists could be uploaded to the company's servers when they signed up for an account. Prior to May 2016, Facebook offered an option for new users to verify their email account and upload all their contacts from that email account at the same time.
The incident is the latest privacy issue to rock Facebook, which has more than two billion users globally. Shortly after, Business Insider reported that, for users who entered their passwords, Facebook was also harvesting contact details - apparently a hangover from an earlier feature that Facebook had built expressly to take contacts with permission - except in this new implementation, users had not given consent.