“Know that every border you cross, every purchase you make, every call you dial, every cell phone tower you pass, friend you keep, article you write, site you visit, subject line you type, and packet you route, is in the hands of a system whose reach is unlimited but whose safeguards are not.”

This’s what Edward Snowden wrote to filmmaker Laura Poitras when he first made contact with her in 2013 regarding the NSA’s tracking and interception systems. Yet, ever since Facebook came under closer public scrutiny following the 2016 election, Snowden’s warning to Poitras reads increasingly like it could have been written about the social platform as well.

We now know the seemingly unlimited reach of Facebook’s data mining operation. We know that it has in the past, and may still, track what you write — and delete — from its site, monitor the websites you visit, where you go (even when you’re offline), record the applications you and your friends install, and more. Somewhere, Facebook may even know how much money you have.

We also know that Facebook can allow users to be targeted with ads using contact information they’ve never even posted on the site. As Kashmir Hill reported for Gizmodo Thursday, Facebook trawls associated accounts and records looking for, say, a phone number besides the one you may have put in your contact information. Facebook then allows advertisers to use that number to target an ad to your News Feed.

In other words, we know about Facebook’s seemingly unlimited reach. As of last week, we also now know the limitations of its safeguards.

On Friday, at least 50 million Facebook users received a security message, alerting them that their account had been compromised. Someone, somewhere, hacked the platform and gained access to tens of millions of accounts. It was the largest security breach in Facebook’s history.

According to Facebook, the hacker(s) exploited a flaw that “allowed them to steal Facebook access tokens… the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.” Already, some users have launched a class action lawsuit against the company, citing the “continuing and absolute disregard” with which Facebook “has chosen to treat the [personal information] of account holders.”

People who once wished to learn what it might be like to surveil themselves as someone else are now actually being surveilled.

The platform’s vulnerability apparently resided somewhere within the code for Facebook’s “View As” feature, which allows users to see their own profile as if they were someone else. In addition to the 50 million accounts with known security issues, Facebook is also notifying 40 million more people “that have been subject to a ‘View As’ lookup in the last year,” that they might be affected.

What does this mean? People who once wished to learn what it might be like to surveil themselves as someone else are now actually being surveilled. This time, by hackers.

It’s a nice summary of how, despite the Snowden revelations, surveillance has become more than merely accepted in the last few years. It’s now something we regularly partake in of ourselves. We’ve become practitioners, rather than protesters.