Facebook said Wednesday that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.

The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users. Among the announcements Wednesday was that Cambridge Analytica, a political consultancy hired by President Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.

But the abuse of Facebook’s search tools -- now disabled -- happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.

The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown.

“We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” Chief Executive Mark Zuckerberg said in a call with reporters Wednesday.

Facebook said in a blog post Wednesday, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.”

Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict finding their identities by using phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing.

Hackers also abused Facebook’s account recovery function, by pretending to be legitimate users who had forgotten account details. Facebook’s recovery system served up names, profile pictures and links to the public profiles themselves. This tool could also be blocked in privacy settings.

Names, phone numbers, email addresses and other personal information amount to critical starter kits for identity theft and other malicious online activity, experts on Internet crime say. The Facebook hack allowed bad actors to tie raw data to people’s real identities and build fuller profiles of them.
Privacy experts had issued warnings that the phone number and email address lookup tool left Facebook users’ data exposed.

Facebook didn’t disclose who the malicious actors are, how the data might have been used, or exactly how many people were affected.

The revelations about the privacy mishaps come at a perilous time for Facebook, which since last month has wrestled with the fallout of how the data of tens of millions of Americans ended up in the hands of Cambridge Analytica. Those reports have spurred investigations in the United States and Europe and sent the company’s stock price tumbling.

The news quickly reverberated on Capitol Hill, where lawmakers are set to grill Zuckerberg at a series of hearings next week.

“The more we learn, the clearer it is that this was an avalanche of privacy violations that strike at the core of one of our most precious American values – the right to privacy,” said Sen. Ed Markey (D-Mass.), who serves on the Senate Commerce Committee, which has called on Zuckerberg to testify at a hearing next week.

Perhaps the most urgent question for Facebook is whether its practices ran afoul of a settlement it brokered with the Federal Trade Commission in 2011 in response to previous controversies over its handling of user data.

At the time, the FTC faulted Facebook for misrepresenting the privacy protections it afforded its users and required the company to maintain a comprehensive privacy policy and ask permission before sharing user data in new ways. Violating the terms could result in many millions of dollars of fines.

The FTC said last week that it would open a new investigation in light of the Cambridge Analytica news, and Wedneday’s revelations are likely to complicate the legal situation, said David Vladeck, a former FTC director of consumer protection who oversaw the 2011 consent decree.

“This is a company that is, in my view, likely grossly out of compliance with the FTC consent decree,” said Vladeck, now a Georgetown University Law professor. “I don’t think that after these revelations they have any defense at all.” He called the numbers “just staggering.”

The data Cambridge Analytica obtained relied on different techniques and was more detailed and extensive than what the hackers collected using Facebook’s search functions. The Cambridge Analytica data set included user names, hometowns, work and educational histories, religious affiliations and Facebook “likes” of users and their friends, among other data. Other users affected were in countries including the Philippines, Indonesia, U.K., Canada and Mexico.
Facebook said it banned Cambridge Analytica last month because the data firm improperly obtained profile information.

Personal data on users and their Facebook friends was easily and widely available to developers of apps before 2015.

Facebook in March declined to say how much user data went to Cambridge Analytica, saying only that 270,000 people had responded to a survey app created by the researcher in 2014. The researcher was able to gather information on the friends of the respondents without their permission, vastly expanding the scope of his data. That researcher then passed the information on to Cambridge Analytica.

Facebook declined to say at the time how many other users may have had their data collected in the process. A Cambridge Analytica whistleblower, former researcher Christopher Wylie, said last month the real number of affected people was at least 50 million.

Wylie tweeted on Wednesday afternoon that Cambridge Analytica could have obtained even more than 87 million profiles. “Could be more tbh,” he wrote, using an abbreviation for “to be honest.”

Cambridge Analytica on Wednesday responded to Facebook’s announcement by saying that it had licensed data on 30 million users, and deleted it upon Facebook's request. It has denied any wrongdoing in collecting or using Facebook data.

Cambridge Analytica was funded by a multimillion-dollar investment by hedge-fund billionaire Robert Mercer and headed by his daughter, Rebekah Mercer, who was the company’s president, according to documents provided by Wylie. Serving as vice president was conservative strategist Stephen K. Bannon, who also was the head of Breitbart News. He has since left both jobs and also his post as top White House adviser to Trump.

With its moves over the past week, Facebook is embarking on a major shift in its relationship with third-party app developers that have used Facebook’s vast network to expand their businesses. What was largely an automated process will now involve developers agreeing to “strict requirements,” the company said in its blog post Wednesday. The 2015 policy change curtailed developers’ abilities to access data about people’s friends networks but left open many loopholes that the company tightened on Wednesday.

“This latest revelation is extremely troubling and shows that Facebook still has a lot of work to do to determine how big this breach actually is,” said Rep. Frank Pallone Jr. (D-N.J.), the top Democrat on the House Energy and Commerce Committee, which will hear from Zuckerberg next Wednesday.

“I’m deeply concerned that Facebook only addresses concerns on its platform when it becomes a public crisis, and that is simply not the way you run a company that is used by over 2 billion people,” he said.

Facebook announced plans on Wednesday to add new restrictions to how app developers, data brokers and other third parties can gain access to this data, the latest steps in a years-long process to improve its damaged reputation as a steward of the personal privacy of its users.

Developers who in the past could get access to people’s relationship status, calendar events, private Facebook posts, and much more data, will now be cut off from access or be required to endure a much stricter process for obtaining the information, Facebook said.

Until Wednesday, apps that let people input a Facebook event into their calendar could also automatically import lists of all the people who attended that event, Facebook said. Administrators of private groups, some of which have tens of thousands of members, could also let apps scrape the Facebook posts and profiles of members of that group. App developers who want this access will now have to prove their activities benefit the group. Facebook will now need to approve tools that businesses use to operate Facebook pages. A business that uses an app to help it respond quickly to customer messages, for example, will not be able to do so automatically. Developers’ access to Instagram will also be severely restricted.

Facebook is now banning apps from accessing users’ information about their religious or political views, relationship status, education, work history, fitness activity, book reading habits, music listening and news reading activity, video watching and games. Data brokers and businesses collect this type of information to build profiles of their customers’ tastes.

Correction: An earlier version of the story said that malicious actors used Facebook's tools to obtain email addresses and phone numbers. In fact, the malicious actors used email addresses and phone numbers that they had previously gathered to obtain other personal information, such as names, hometown, profile photos and other public information from Facebook profiles.