The privately held company said it had fixed a loophole in its cloud messaging system that had triggered the unauthorised data transfer and that the operating system upgrade had been rolled out on Sunday.
The issue was highlighted last week in a blog post by security firm F-Secure Oyg and had been reported by media outlets in Taiwan. Like Apple Inc's iMessage service, Xiaomi lets users avoid SMS charges by routing messages over the Internet rather than through a carrier's network.
(Also see: Xiaomi Says Its Smartphones Do Not Secretly Upload Photos, Text Messages)
In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologised for the unauthorised data collection and said the company only collects phone numbers in users' address books to see if the users are online.
He said the smartphone's messaging system would now only activate on an "opt-in" basis and that any phone numbers sent back to Xiaomi servers would be encrypted and not stored.
Some industry analysts say Xiaomi has pipped Samsung Electronics Co Ltd to become the top selling smartphone brand in China, the world's biggest smartphone market.
Although an increasing number of smartphone apps harvest vast troves of personal data including a user's real-time location, the address book remains a particularly sensitive domain.
The U.S. Federal Trade Commission fined the social network Path $800,000 last year after security researchers showed how the company siphoned users' address books without their knowledge and stored it on its servers.
As a result of the Path controversy, which began in 2012 and prompted a brief Congressional inquiry, Apple changed its iPhone operating system so that app developers would have to ask explicitly for permission before accessing address book data.
© Thomson Reuters 2014
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.