Facebook revealed Wednesday that "malicious actors" had scraped the personal data of most of its users by using a search feature to find their profile pages.

The company also revealed that the Cambridge Analytica data leak was potentially much bigger than first estimated; the data firm may have gotten access to the data on up to 87 million users.

The revelations come as the company is still reeling from and responding to the Cambridge Analytica scandal.



Facebook made a bombshell admission about the security of its users' personal information on Wednesday, in a startling revelation that's almost certain to worsen the privacy crisis currently hanging over the world's largest social network.

"Most" of Facebook's 2 billion users may have had their personal data skimmed from the site by "malicious actors," the company said in a blog post by Chief Technology Officer Mike Schroepfer. Facebook said it has disabled the feature in its site's search function that enabled the data scraping, but the fact that so much user data may have been vulnerable was another setback to the company's efforts to restore confidence with users.

"It is reasonable to expect that if you’ve had that setting on in the last several years that someone has accessed your information," company CEO Mark Zuckerberg said on a conference call with journalists.

Meanwhile, up to 87 million users may have been affected by the leak of personal information to Trump-linked data firm Cambridge Analytica — a number that was much bigger than previous estimates.

Facebook has been reeling since a whistleblower disclosed that Cambridge Analytica had managed to get hold of user data and used it to target voters with emotional and divisive messages during the 2016 Trump presidential campaign.

Schroepfer disclosed the new information about privacy compromises on Wednesday in a post describing changes the company has made to its service, to better protect users' personal data.

"We believe these changes will better protect people’s information while still enabling developers to create useful experiences," he said in the post. "We know we have more work to do — and we’ll keep you updated as we make more changes"

A reverse search feature that could yield a treasure trove of information

Schroepfer described how "malicious actors" had abused Facebook's search feature to scrape personal info about users. The search tool allowed anyone to look up a user's public Facebook profile information, which can include things like gender and birth date, by searching on only the person's phone number or email address. The feature was useful in other countries, where it may be difficult to type in a users' full name, Schroepfer said.

But the tool was abused by bad actors, who were able to use it to easily find personal details on potentially billions of Facebook users.

User information like names, hometowns and birth dates, is valuable to bad actors who can use it for everything from identity theft to credit card fraud.

"Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way," Schroepfer said. "So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well."

Schroepfer's post was published just an hour before Facebook CEO Mark Zuckerberg is scheduled to hold a press conference with reporters.

Facebook has been reeling since a whistleblower disclosed that Cambridge Analytica, which assisted President Trump's election campaign, gleaned data on millions of Facebook users through an app written by a university researcher. Only 270,000 Facebook users actually installed the app, but due to Facebook's data sharing policies at the time, the app was able to gather data on millions of their friends.

The initial estimates were that the app gathered data on some 50 million Facebook users. But Schroepfer revised that number upward by 74%. Facebook will be rolling out a new feature on Monday that will inform users who were affected by the data leak.