Facebook Inc admitted on Wednesday the personal information of up to 87 million users, mostly in the United States, may have been improperly shared with political consultancy Cambridge Analytica, up from a previous news media estimate of more than 50 million.
The source of this vulnerability is Facebook’s search function, which allows anyone to look up users via their email address or phone numbers. Users have to opt into it, via an option that lets their names come up in searches. The security settings have this option on by default.
In a blog post from CTO Mike Schroepfer, Facebook hinted at the scope of the problem:
However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.
During a call today with members of the press, Zuckerberg confirmed just how open Facebook had left its users:
I would assume if you had that setting turned on that someone at some point has access to your public information in some way.
Zuckerberg clarified, when asked about the 87 million number cited earlier, that it was the number of users potentially affected by Cambridge Analytica. Zuckerberg said he was confident that was the maximum number, telling reporters that he accepted blame for the data leak, which has angered users, advertisers and lawmakers, while also saying he was still the right person to head the company he founded.
“When you’re building something like Facebook that is unprecedented in the world, there are going to be things that you mess up,” Zuckerberg said, adding that the important thing was to learn from mistakes.