I think what happened was that they had an "import friends from your email contacts" feature in the past and the code was reused for "verify your identity via email" but they didn't realise the code would still also upload the email contacts.

At least that's the story I've heard about why this was an "honest mistake".