The outfit said it has upgraded its operating system to ensure users knew it was collecting data from their address books.
Security firm F-Secure Oyg said the Chinese budget smartphone maker was taking personal data without permission.
Xiaomi said it was a terrible mistake and it had fixed a loophole in its cloud messaging system that had triggered the unauthorized data transfer and that the operating system upgrade had been rolled out on Sunday.
Part of the problem was that Xiaomi lets users avoid SMS charges by routing messages over the Internet rather than through a carrier’s network. The way this is set up was similar to the system that got Apple into such hot water.
In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra said sorry for the unauthorised data collection and said the company only collects phone numbers in users’ address books to see if the users are online.
He said the smartphone’s messaging system would now only activate on an “opt-in” basis and that any phone numbers sent back to Xiaomi servers would be encrypted and not stored.
Apple changed its iPhone operating system so that app developers would have to ask explicitly for permission before accessing address book data.