No, the email address is not sufficient; they want to log into your email account and extract your contact list. Numerous social web sites do that, notably FaceBook. I'd never give away my email password, and am amazed that there are people who do.
While it's not a hack, it is a poor privacy practice. I blogged last year about which sites let you import your contacts properly - without providing a password. The standards in this space are interesting.
I think it's a problem that large companies train people to be insecure. I taught a relative that you don't give any sensitive info on the phone unless you initiated the call to a known phone number. (That you know to belong to the organization.) She then got a call from a bank asking for her mother's maiden name. When she called that bank back they agreed that they were calling people asking for that info because they didn't want to "tell just anyone" what the call was about. Which wasn't a sensitive matter in the first place. I'm annoyed that the bank did that. It trains people that it is ok to give out this info.