Facebook "unintentionally" uploaded the email contacts of more than 1.5 million users without asking permission to do so, the social network has admitted.
The data harvesting happened via a system used to verify the identity of new members,
Facebook asked new users to supply the password for their email account, and took a copy of their contacts.
Facebook said it had now changed the way it handled new users to stop contacts being uploaded.
All those users whose contacts were taken would be notified and all the contacts it had grabbed without consent would be deleted, it said.
The information grabbed is believed to have been used by Facebook to help map social and personal connections between users.
Analysis: Rory Cellan-Jones, Technology correspondent
Anyone who, like me, joined Facebook a decade or more ago, probably clicked "yes" when invited to upload all of their contacts.
It seemed a good way of making the network more useful and, after all, what could be the harm? But after the various data scandals shattered trust in Facebook, we've become far more cautious.
We've woken up to the harms that could come from handing over that precious information about our social connections - for journalists it could mean revealing their contacts, for whistleblowers their dealings with regulators, for just about anyone their contacts with people they might not want their partners to know about.
Now we know that Facebook somehow scraped up the email contacts of 1.5 million people over a three year period without their agreement. Now every time the social network suggests "people you may know", we will wonder "How do you know that I may know them?"
To many, the idea that they should trust Facebook with their data seems more old-fashioned by the day.