Facebook today revealed that as many as 87 million users, most of them in the US but at least 1 million in the UK, may have had their information improperly obtained and used by the data mining firm Cambridge Analytica. The revelation indicates that nearly twice as many Facebook users may have been directly affected by the ongoing data privacy scandal resulting from the unauthorized sale of the social network’s user data to the third-party company, which was contracted by the Trump campaign to help with election ad targeting. Initial reports from The New York Times and The Guardian put the figure at as many as 50 million users who had data scraped by Cambridge psychology professor Aleksandr Kogan’s survey app via Facebook Login.

Facebook revealed the information at the bottom of a substantial blog post penned by chief technology officer Mike Schroepfer, who is among the highest ranking executives at the company behind CEO Mark Zuckerberg and COO Sheryl Sandberg. The post outlines plans to restrict the use of its many application programming interfaces, or APIs, that allow developers to plug into the service and extract user data from it.

The changes are sweeping, and they come as part of a multistep effort from Facebook these past two weeks to repair its image with politicians and the public, assuage critics condemning the company’s privacy track record, and crack down on the misuse of its platform by third-party companies and foreign governments. Effectively, Facebook has put a nail in the coffin of its app platform with unilateral restrictions across the board. As part of the changes, Facebook says it will notify people if their information was improperly shared with Cambridge Analytica, as well as allow users to see what info they’ve shared with any and all third-party apps from a link at the top of the News Feed starting on April 9th.

Facebook is making sweeping changes to restrict developer access to user data

Starting today, Facebook says it will no longer allow developers to use the Events API to access the guest list or event wall of a concert, gathering, or similarly scheduled event on Facebook. “Only apps we approve that agree to strict requirements will be allowed to use the Events API,” writes Schroepfer. Facebook is also requiring third-party app developers who use the Groups API to get approval from Facebook and a group administrator “to ensure they benefit the group” with whatever product or service is accessing the group list and its members’ data.

“Apps will no longer be able to access the member list of a group. And we’re also removing personal information, such as names and profile photos, attached to posts or comments that approved apps can access,” writes Schroepfer. Facebook is also limiting the use of the Pages API by requiring all future access to the entire access layer be approved by the company. Prior to the change, any app could use the Pages API to read posts or comments from any public-facing Facebook page.

Perhaps the most pivotal changes are those Facebook is making with regard to Facebook Login, building on an initial announcement made two weeks ago in the immediate aftermath of the Cambridge Analytica revelations. Beyond that initial move to cut off app access after a three-month period of user inactivity, Facebook now says it will no longer let apps ask for personal data like religious views, political affiliation, relationship status, custom friends list, education and work history, and activity on fitness, book reading, music listening, news reading, video watching, and game playing. “In the next week, we will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last three months,” Schroepfer writes, which clarifies when the company’s prior policy change will take effect. This will make it much harder for app developers to use Facebook data to improve their products and integrate more deeply into a user’s online life.

The changes did not stop at those core Facebook APIs. The company is also restricting the Instagram API to disable collection of user follower lists, relationships, and comments on public content. It’s also shutting down the photo-sharing app’s old API ahead of schedule. Originally, the Instagram API Platform was scheduled to be shut down on July 31st.

In addition to the API changes, Facebook will no longer let anyone input a user’s phone number or email address to find them on the social network, which is a big change in how the product is used by millions of people in response to what the company says is “abuse” from “malicious actors.” In fact, Schroepfer says, “given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.” So Facebook is disabling the feature and “also making changes to account recovery to reduce the risk of scraping as well.”

Facebook is also changing its opt-in call and text history feature on Messenger and Facebook Lite on Android following widespread concern over the company’s ability to scrape communication logs. The feature, designed ostensibly to analyze your communications with others to surface your most frequent contacts high on your contact list, is being restricted so only the data required to enable the feature is collected, and all logs will now be deleted after one year. Additionally, “the client will only upload to our servers the information needed to offer this feature — not broader data such as the time of calls,” Schroepfer adds.

Later in the day, Cambridge Analytica released a statement refuting the suggestion it was in the possession of data on 87 million Facebook users. “Cambridge Analytica licensed data for no more than 30 million people from GSR, as is clearly stated in our contract with the research company. We did not receive more data than this,” the company’s statement reads. “We did not use any GSR data in the work we did in the 2016 US presidential election. Our contract with GSR stated that all data must be obtained legally, and this contract is now a matter of public record. We took legal action against GSR when we found out they had breached this contract.”

Cambridge Analytica says it’s currently undergoing a third-party audit to show that none of the data remains in its systems, something that remains in contention after a Channel 4 report last week said data on hundreds of thousands of users was still circulating.

Update April 4th, 3:22PM ET: Added additional information from Facebook CTO Mike Schroepfer’s blog post about Facebook API restrictions.

Update April 4th, 6:50PM ET: Added statement from Cambridge Analytica.