It was only a matter of time. After raising its estimates for the number of people affected by the Cambridge Analytica scandal, Facebook outright admitted that anyone with an account likely had their personal information compromised.
The social media giant said on Wednesday that “malicious actors” exploited a vulnerability in search and account recovery features to harvest the information of “most” of Facebook’s 2.2 billion users.
“We’ve seen some scraping,” CEO Mark Zuckerberg said on a call with reporters, CNBC reports. “I would assume if you had that setting turned on that someone at some point has access to your public information in some way.”
The problem stems from a search lookup tool that allowed users to find a specific profile by inputting a phone number or email address into the search bar instead of a name. Without going into much detail, Facebook CTO Mike Schroepfer wrote in a blog post that bad actors abused the feature to harvest public profile information by submitting known phone numbers and email addresses. As of yesterday, the feature has been disabled.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” Schroepfer wrote.
Unlike its encrypted instant messages and other hidden security tools, the search feature was enabled by default. It seems that unless a user navigated to their settings and manually turned it off, their information was left vulnerable.
The revelation comes on the same day we learned that more people were affected by the Cambridge Analytica data scandal than first expected. Facebook raised its estimate to 87 million from the previously reported 50 million. Zuckerberg says he’s confident that number won’t increase. The CEO took full responsibility for the company’s failures to protect user data.
“At the end of the day, this is my responsibility. So there have been a bunch of questions about [firing staff]. I started this place. I run it. And I am responsible for what happens here,” Zuckerberg said.
The company has released a flurry of updates designed to provide transparency about how and why it collects data. Several new features designed to give power back to users were also released as part of its ongoing effort to win back the public. Mark Zuckerberg will testify in front of Congress next week where he’ll explain how these security breaches occurred and try to convince the world that the steps Facebook is taking are enough to prevent them from happening again.