Facebook said Wednesday that "malicious actors" took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.
The revelation came amid rising acknowledgment by Facebook about its struggles to control the data it gathers on users. Among the announcements Wednesday was that Cambridge Analytica, a political consultancy hired by then-presidential candidate Donald Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.
But the abuse of Facebook's search tools – now disabled – happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.
The scam started when hackers harvested email addresses and phone numbers on the "dark Web," where criminals post information stolen in data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook's "search" box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and home towns.
"We built this feature, and it's very useful. There were a lot of people using it up until we shut it down today," chief executive Mark Zuckerberg said in a call with reporters Wednesday.
Facebook said in a blog post Wednesday, "Given the scale and sophistication of the activity we've seen, we believe most people on Facebook could have had their public profile scraped."
Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict the finding of their identities by phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing.
Hackers also abused Facebook's account recovery function, by pretending to be legitimate users who had forgotten account details. Facebook's recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings.
Names, phone numbers, email addresses and other personal information amount to critical starter kits for identity theft and other malicious online activity, experts on Internet crime say. The Facebook hacks allowed bad actors to tie raw data to people's real identities and build fuller profiles of them.
Privacy experts had issued warnings that the phone number and email address lookup tool left Facebook users' data exposed.
Facebook did not disclose who the malicious actors are, how the data might have been used or exactly how many people were affected.
The revelations about the privacy mishaps come at a perilous time for Facebook, which since last month has wrestled with the fallout of how the data of tens of millions of Americans ended up in the hands of Cambridge Analytica. Those reports have spurred investigations in the United States and Europe and sent the company's stock price tumbling.
The news quickly reverberated on Capitol Hill, where lawmakers are set to grill Zuckerberg at hearings next week.
"The more we learn, the clearer it is that this was an avalanche of privacy violations that strike at the core of one of our most precious American values – the right to privacy," said Sen. Edward Markey, D-Mass., who serves on the Senate Commerce Committee, which has called on Zuckerberg to testify at a hearing next week.
Perhaps the most urgent question for Facebook is whether its practices ran afoul of a settlement it brokered with the Federal Trade Commission in 2011 in response to previous controversies over its handling of user data.
The FTC said last week that it would open a new investigation in light of the Cambridge Analytica news, and Wednesday's revelations are likely to complicate the legal situation, said David Vladeck, a former FTC director of consumer protection who oversaw the 2011 consent decree.
"This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree," said Vladeck, now a law professor at Georgetown University. "I don't think that after these revelations they have any defense at all." He called the numbers "just staggering."
The data that Cambridge Analytica obtained relied on different techniques and was more detailed and extensive than what the hackers collected using Facebook's search functions. The Cambridge Analytica data set included user names, home towns, work and educational histories, religious affiliations, and Facebook "likes" of users. Other users affected were in countries including the Philippines, Indonesia, Britain, Canada and Mexico.
Facebook said it banned Cambridge Analytica last month because the data firm improperly obtained profile information.
Personal data on users and their Facebook friends was easily and widely available to developers of apps before 2015.
Facebook in March declined to say how much user data went to Cambridge Analytica, saying only that 270,000 people had responded to a survey on an app created by a researcher in 2014. The researcher was able to gather information on the friends of the respondents without their permission, vastly expanding the scope of his data. That researcher then passed the information on to Cambridge Analytica.
Facebook declined to say at the time how many other users may have had their data collected in the process. A Cambridge Analytica whistleblower, former researcher Christopher Wylie, said last month that the real number of people affected was at least 50 million.
Wylie tweeted on Wednesday afternoon that Cambridge Analytica could have obtained even more than 87 million profiles. "Could be more tbh," he wrote, using an abbreviation for "to be honest."
Cambridge Analytica on Wednesday responded to Facebook's announcement by saying that it had licensed data on 30 million users. It has denied any wrongdoing in collecting or using Facebook data.
Cambridge Analytica was founded by a multimillion-dollar investment by hedge-fund billionaire Robert Mercer and headed by his daughter, Rebekah Mercer, who was the company's president, according to documents provided by Wylie. Serving as vice president was conservative strategist Stephen K. Bannon, who also was the head of Breitbart News. He has since left both jobs and also his post as a top White House adviser to Trump.
With its moves over the past week, Facebook is embarking on a major shift in its relationship with third-party app developers who have used its vast network to expand their businesses. What was largely an automated process will now involve developers' agreeing to "strict requirements," the company said in its blog post Wednesday. The 2015 policy change curtailed developers' abilities to access data about people's friend networks but left open many loopholes that the company tightened on Wednesday.
"This latest revelation is extremely troubling and shows that Facebook still has a lot of work to do to determine how big this breach actually is," said Rep. Frank Pallone, D-N.J., the top Democrat on the House Energy and Commerce Committee, which is to hear from Zuckerberg next Wednesday.
"I'm deeply concerned that Facebook only addresses concerns on its platform when it becomes a public crisis, and that is simply not the way you run a company that is used by over 2 billion people," he said.
Facebook announced plans Wednesday to add restrictions to how outsiders can gain access to this data, the latest steps in a years-long process to improve its damaged reputation as a steward of the personal privacy of its users.
Developers who in the past could get access to people's relationship status, calendar events, private Facebook posts and much more data will now be cut off from access or be required to endure a much stricter process for obtaining the information, Facebook said.
Until Wednesday, apps that let people input Facebook events into their calendars could also automatically import lists of all the people who attended the events, Facebook said. Administrators of private groups, some of which have tens of thousands of members, could also let apps scrape the Facebook posts and profiles of members of those groups. App developers who want this access will now have to prove that their activities benefit the group. Facebook will now need to approve tools that businesses use to operate Facebook pages. A business that uses an app to help it respond quickly to customer messages, for example, will not be able to do so automatically. Developers' access to Instagram will also be severely restricted.