Facebook said Wednesday that “malicious actors” took advantage of search tools on its platform, making it possible for them to discover the identities and collect information on most of its 2 billion users worldwide.
The revelation came amid rising acknowledgement by Facebook about its struggles to control the data it gathers on users. Among the announcements Wednesday was that Cambridge Analytica, a political consultancy hired by President Trump and other Republicans, had improperly gathered detailed Facebook information on 87 million people, of whom 71 million were Americans.
But the abuse of Facebook’s search tools — now disabled — happened far more broadly and over the course of several years, with few Facebook users likely escaping the scam, company officials acknowledged.
The scam started when malicious hackers harvested email addresses and phone numbers on the so-called “Dark Web,” where criminals post information stolen from data breaches over the years. Then the hackers used automated computer programs to feed the numbers and addresses into Facebook’s “search” box, allowing them to discover the full names of people affiliated with the phone numbers or addresses, along with whatever Facebook profile information they chose to make public, often including their profile photos and hometown.
“We built this feature, and it’s very useful. There were a lot of people using it up until we shut it down today,” Chief Executive Mark Zuckerberg said in a call with reporters Wednesday.
Facebook said in a blog post Wednesday, “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped.”
Facebook users could have blocked this search function, which was turned on by default, by tweaking their settings to restrict finding their identities by using phone numbers or email addresses. But research has consistently shown that users of online platforms rarely adjust default privacy settings and often fail to understand what information they are sharing.