Facebook has admitted to harvesting 1.5 million users' email contacts without their consent, but claims it did so "unintentionally".
The social network began collecting contact lists following a design change to its platform nearly three years ago.
In May 2016, Facebook offered email password verification but removed any explanation from the process that the new users' contact lists would be uploaded to Facebook's servers.
So while only 1.5 million Facebook users were effected, it is possible tens of millions or even hundreds of millions of email contacts were actually gathered by Facebook without permission.
It is the latest in a series of scandals that have beset the technology giant in recent years and comes just a day after it was revealed CEO Mark Zuckerberg gave access to sensitive user data to dozens of app developer friends.
Privacy advocates have labelled the latest revelations a major infringement on people's digital rights, with some suggesting that Facebook could face further legal action.
"This is one of the most legally actionable behaviours by Facebook to date," tweeted Ashkan Soltani, a former chief technology officer for the US Federal Trade Commission (FTC).
"I'm confident regulators will be taking a look."
If used for advertising purposes, the collection of email contacts could have breached regulations by earning proceeds from "ill-gotten gains", Mr Soltani noted.
Facebook said it only realised the error this month and is now in the process of removing the contacts from its servers.
"We estimate that up to 1.5 million people's email contacts may have been uploaded. These contacts were not shared with anyone and we're deleting them," a Facebook spokesperson told The Independent.
"We've fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings."