Facebook has admitted in an announcement that most of its 2 billion users may have been compromised by “malicious actors.”

CommonDreams.com reports that Facebook has admitted that more user accounts may have been compromised than those announced during the company’s most recent data scandal. Initial reports stated that approximately 51 million accounts were allegedly targeted in the Cambridge Analytica user data scandal, Facebook later clarified after an internal audit that the number was closer to 87 million, but it now seems that the company has admitted after further research that nearly all of Facebook’s 2 billion accounts could have users personal info scraped from them by a variety of “malicious actors.”

WIRED journalist Matt Burgess noted that Facebook’s last statement on the data scandal briefly mentioned that “most” of the site’s two billion users had personal info scraped from their Facebook profiles by “malicious actors.”

https://twitter.com/mattburgess1/status/981614263721742338

Facebook’s chief technology officer Mike Schroepfer wrote in a company blog post: “Until today, people could enter another person’s phone number or email address into Facebook search to help find them. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature.”

Essentially, Facebook believes that over the course of many years, “malicious actors” used search features which Facebook has now disabled to collect information that users were unaware was allowed to be viewed publicly.

The Washington Post explained how these “malicious actors” gained access to the data saying:

[M]alicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown. …Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict finding their identities by using phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing. Hackers also abused Facebook’s account recovery function, by pretending to be legitimate users who had forgotten account details. Facebook’s recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings.

Kurt Walters, campaign director at Demand Progress, said on Wednesday that: “This is a crisis of trust. Mark Zuckerberg needs to demonstrate that Facebook users’ wellbeing—not Facebook’s profit line—is the company’s number one priority. Facebook must stop the foot-dragging and immediately alert everyone whose personal data was compromised by Cambridge Analytica or other third parties.”