Facebook was well aware of the riskiness of its promiscuous data-sharing policies long before news of Cambridge Analyica’s misbehavior made headlines, and hundreds of millions of users may have been affected by them, according to a whistleblower—the second Facebook whistleblower this week!—who used to work at the company. Sandy Parakilas (who now works at Uber, another company that knows about losing the public’s trust) was in charge of tracking down data breaches by third-party developers from 2011 to 2012. During that time, according to a report in the Guardian, he warned executives at Facebook that their policy, which allowed app developers to collect data on users who downloaded it and on all of their friends, was too loose and placed users at risk of privacy breaches.

Cambridge Analytica, the Trump campaign data firm that took advantage of Facebook’s permissive data-sharing policy in order to allegedly inappropriately obtain data on more than 50 million profiles for its voter-targeting effort, wasn’t the only company that did so, according to Parakilas, who told the Guardian that Facebook saw the data-sharing arrangement as a trade-off to get developers to build apps for the social network. And though Parakilas says it’s hard to know exactly how many did so, he estimates that tens of thousands of apps took advantage of the permissive data sharing offered. Facebook took a cut of 30 percent of payments made over apps on its platform, which is a lot, but then again, the developers were getting to keep all that valuable user data, which could have been sold on a black market, said Parakilas.

The new whistleblower’s revelations come days after Facebook’s old data-sharing policies have come under immense scrutiny following explosive reports in the New York Times and the Guardian on how Cambridge Analytica obtained that data. Its case is particularly egregious because it received the data from an academic whose psychological-profile app was advertised as being for research purposes only. Though the app’s quiz was only taken by 270,000 people, it was able to collect data on tens of millions because it was allowed to harvest data from people’s friends. Facebook discontinued this policy in 2014.

While the Facebook policy that allowed this to happen has been known about for some time, it’s now receiving fresh scrutiny, raising new questions about how leaky Facebook once was with our data. Unfortunately, the answers may not be easy to come by. Asked by the Guardian whether Facebook had any power over the data it allowed third-party apps to siphon from the platform, Parakilas said, “Zero. Absolutely none. Once the data left Facebook servers there was not any control, and there was no insight into what was going on.”

Read more from Slate on Cambridge Analytica.