Facebook "unintentionally" uploaded the email contacts of more than 1.5 million users without asking permission to do so, the social network has admitted.
The data harvesting happened via a system used to verify the identity of new members,
Facebook asked new users to supply the password for their email account, and took a copy of their contacts.
Facebook said it had now changed the way it handled new users to stop contacts being uploaded.
All those users whose contacts were taken would be notified and all the contacts it had grabbed without consent would be deleted, it said.
The information grabbed is believed to have been used by Facebook to help map social and personal connections between users.
Analysis: Rory Cellan-Jones, Technology correspondent
Anyone who, like me, joined Facebook a decade or more ago, probably clicked "yes" when invited to upload all of their contacts.
It seemed a good way of making the network more useful and, after all, what could be the harm? But after the various data scandals shattered trust in Facebook, we've become far more cautious.
We've woken up to the harms that could come from handing over that precious information about our social connections - for journalists it could mean revealing their contacts, for whistleblowers their dealings with regulators, for just about anyone their contacts with people they might not want their partners to know about.
Now we know that Facebook somehow scraped up the email contacts of 1.5 million people over a three year period without their agreement. Now every time the social network suggests "people you may know", we will wonder "How do you know that I may know them?"
To many, the idea that they should trust Facebook with their data seems more old-fashioned by the day.
Contacts started being taken without consent in May 2016, the company told Business Insider, which broke the story.
Before this date, new users were asked if they wanted to verify their identity via their email account. They were also asked if they wanted to upload their address book voluntarily.
This option and the text specifying that contacts were being grabbed was changed in May 2016 but the underlying code that actually scraped contacts was left intact, said Facebook.
Ireland's Data Protection Commissioner, which oversees Facebook in Europe, is engaged with the firm to understand what happened and its consequences.
Image caption: Rep Ocasio Cortez said social media was a 'health risk'
The email contacts case is the latest in a long series in which Facebook has mishandled the data of some of its billions of users.
In late March, Facebook found that the passwords of about 600 million users were stored internally in plain text for months.
The ongoing breaches and other criticisms of Facebook are also prompting some high-profile users to bow out. The latest is Democrat Representative Alexandria Ocasio-Cortez who said she had "quit" the social network.
In an interview with a Yahoo News podcast she said: "I personally gave up Facebook, which was kind of a big deal because I started my campaign on Facebook."
She added that social media posed a "public health risk".
Have your say
More Technology Headlines
- Netflix confirms launch of mobile-only streaming service
- Google's Project Dragonfly 'terminated' in China
- China to provide scanners for 5 airports in Ghana
- Democrats considering a bill to ban Facebook from the finance industry
- ‘Africa Gateway’ launched to give insights into promising African markets
- Huawei will reportedly lay off hundreds of US workers
- Facebook 'to be fined $5bn over Cambridge Analytica scandal'
- Photos confirm Galaxy Note 10 won’t have a headphone jack
- Samsung Galaxy Note 10 breaks cover in these first ‘official’ leaked photos
- Ghana loses out on 2019 Telecoms Maturity Index
- Facebook to be quizzed in court on EU-US data transfers
- Professor faces 219-year prison sentence for sending missile chip tech to China
- Samsung sued over water-resistant phone claims
- Google is making Night Sight one of the main camera modes on Pixel phones
- Internet wobble caused by Cloudflare glitch