Facebook CEO Mark Zuckerberg today revealed that all of its 2.2 billion users should assume their public data has been compromised by third-party scrapers.

The source of this vulnerability is Facebook’s search function, which allows anyone to look up users via their email address or phone numbers. Users have to opt into it, via an option that lets their names come up in searches. The security settings have this option on by default.

In a blog post from CTO Mike Schroepfer, Facebook hinted at the scope of the problem:

However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.

During a call today with members of the press, Zuckerberg confirmed just how open Facebook had left its users:

I would assume if you had that setting turned on that someone at some point has access to your public information in some way.

Zuckerberg clarified, when asked about the 87 million number cited earlier, that it was the number of users potentially affected by Cambridge Analytica. Zuckerberg said he was confident that was the maximum number.

During the call today, Zuckerberg said he felt responsible for the missteps of his company, and that he hoped to learn from them moving forward. When asked if he still considered himself the best person to run the company, he said, “Yes.”

Read next: Foxconn is making Sirin Labs' $1,000 blockchain phone for cryptocurrency geeks