Facebook today announced that it has suspended “tens of thousands” of apps as part of an ongoing investigation into improper data use on the part of third-party developers. The investigation is part of a broader effort the company embarked on last year in the wake of the Cambridge Analytica data privacy scandal, which involved a political consulting firm purchasing data on tens of millions of Facebook users that had been collected, packaged, and sold by the maker of a quiz mobile app.

The tech giant has been slow to reveal the scope of its ongoing investigation. In May 2018, the company said 200 apps had been suspended; in August 2018, that number jumped to 400. Now, roughly 12 months later, the company is admitting that it investigated millions of apps and has suspended “tens of thousands.”

Facebook says the huge volume of apps are sourced to a small number of developers, just 400 or so. It is unclear how the developers in question could be responsible for so many offending apps and go largely unnoticed until Facebook felt compelled to investigate its platform. If Facebook removed just 10,001 apps from 400 developers, that would mean each developer, on average, had created 25 apps that break Facebook’s rules. (Facebook says some of the apps it suspended were still in testing.)

Just 400 developers were responsible for tens of thousands of rule-breaking apps

In a blog post today authored by Facebook vice president of partnerships Ime Archibong, he said Facebook has banned some apps completely. “That can happen for any number of reasons including inappropriately sharing data obtained from us, making data publicly available without protecting people’s identity or something else that was in clear violation of our policies,” Archibong writes.

Facebook has also permanently removed access to its platform from some of the offending developers, although it is not specifying how many developers it’s banned. The company has even taken legal action against some app makers. Shortly after the news of Cambridge Analytica first broke, the company sued two Ukrainian men for allegedly accessing user data illegally. Facebook says it has continued to sue developers. including software makers that were using Facebook-linked apps to infect users’ phones with malware.

In an additional statement given to The Verge, a Facebook spokesperson outlined further information regarding the suspensions:

Yes, the suspensions have been on a rolling basis. The suspension of an app from the Facebook platform does not necessarily indicate misuse of data using that app. In a number of instances, we have suspended an app not because of any known or suspected misuse of data by that app, but because of the app’s association with a person or an entity which may have misused Facebook data in violation of our policies. Suspension also does not indicate an app had access to, or acquired, significant user data, as some apps associated with a suspicious entity may be “test” apps that were never released to the public. Quickly identifying potential incidents of data misuse is particularly challenging, as more complex and time-consuming technical analyses and investigative steps such as in-person interviews of app developers are often needed to accurately determine whether a developer has in fact misused user data.

The news comes as the company faces 11 ongoing investigations from the Justice Department, state attorneys general, and the Securities and Exchange Commission on possible antitrust and privacy violations. One of these, a lawsuit brought by the attorney general of the District of Columbia, is a response to the Cambridge Analytica revelations.

In July, the Federal Trade Commission announced a $5 billion settlement with Facebook over privacy breaches. It was the largest penalty a tech company had ever had to pay. As part of the settlement, Facebook rolled out new requirements for third-party developers, including a mandatory annual compliance review.

Update September 20th, 2:56PM ET: Added new statement from Facebook.