New York’s attorney general is opening an investigation into Facebook’s unauthorized collection of 1.5 million users’ email contacts without their permission.

The email harvest may have exposed hundreds of millions of people to targeted advertising by the embattled social-media company, New York Attorney General Letitia James said Thursday in a statement.

The practice was a result of Facebook’s email password verification process for new users -- a process that’s standard for online services like Facebook. Facebook’s procedure, however, asked some users to hand over the password to their personal email account.

In some cases, Facebook accessed those user’s contacts and uploaded the information “to be used for targeted advertising,” the attorney general said.

Facebook has been working to address concerns by lawmakers and regulators about how it protects users’ data. On Wednesday, Facebook estimated it will cost as much as $5 billion to resolve a Federal Trade Commission investigation into triggered by Cambridge Analytica.

Separately, Facebook is in advanced talks with a group of states to resolve investigations into whether the Cambridge Analytica incident violated local consumer-protection laws.

Forbidding Apps From Scooping Up Unrelated User Data

Facebook has also banned apps from running personality quizzes of the kind that spurred the Cambridge Analytica data-sharing scandal.

“Apps with minimal utility, such as personality quizzes, may not be permitted on the platform,” Facebook’s Eddie O’Neil said Thursday in a blog post. In the future, apps will also be forbidden from asking for data that doesn’t directly “enrich the in-app user experience,” he said in the post.

The update to Facebook’s policies also include removing access to a number of application programming interfaces (APIs) and evaluating an app’s access to user permissions.