Facebook harvested the email contacts of 1.5 million users who joined the site since 2016 - without permission.
The firm said it "unintentionally uploaded" the contacts after asking users to email passwords when signing up to the site as a way of verifying their identity.
The incident is the latest in a growing list of privacy breaches to hit the social network.
Facebook said the flaw had been caused by a feature that enabled users to confirm their account and import their email contacts at the same time.
A redesign in 2016 removed some of the language that explained this, but contacts were still uploaded in some cases.
"Earlier this month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time," the firm said.
"When we looked into the steps people were going through to verify their accounts, we found that in some cases people's email contacts were also unintentionally uploaded to Facebook.
"We estimate that up to 1.5 million people's email contacts may have been uploaded.
"These contacts were not shared with anyone and we're deleting them.
"We've fixed the underlying issue and are notifying people whose contacts were imported.
"People can also review and manage the contacts they share with Facebook in their settings."