Facebook has come clean about yet another data scandal. Since May 2016, the company has collected the contact lists of 1.5 million users who were new to the platform, as reported by Business Insider.

Last month, e-sushi — a security researcher — noticed that Facebook was asking some users to provide their email passwords when they signed up.

“Hey Facebook, demanding the secret password of the personal email accounts of your users for verification, or any other kind of use, is a horrible idea from an [information security] point of view,” e-sushi tweeted.

That prompted outlets to begin looking into Facebook’s practice. On Wednesday, the company told Business Insider that contact data was “unintentionally uploaded to Facebook.” The company said it’s deleting all the information obtained.

https://twitter.com/originalesushi/status/1112496649891430401

Users weren’t given any notice before Facebook began uploading their data, so they also couldn’t give consent. The company plans to reach out to everybody who was affected.

Although Facebook says it didn’t access the content of any messages, contact information is still sensitive. The company also wouldn’t provide information on just how many contacts it downloaded.

Back in February, Facebook shut down a data collecting VPN targeting teens and, only a month later, the company admitted to storing millions of passwords in plain text. This is yet another example of Facebook poorly handling or suspiciously obtaining data.