Updated on April 4 at 5:14 p.m. ET
It seems like an innocuous enough feature. Until Wednesday, anybody on Facebook could enter a phone number or email address and find the Facebook profile associated with it. Useful if you’re searching for “John Smith” or its global equivalents.
But now imagine that someone has a list of email addresses or phone numbers that have been gathered outside of Facebook. With a simple script, that person could simply enter phone number after phone number and create a database of Facebook profiles, including whatever public information was available there.
And it appears that this, indeed, happened. In an announcement on the company’s plans to restrict data access by outside companies, Facebook noted:
Malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way.
“Most people on Facebook” means that we’re talking about at least a billion users whose public Facebook information has been spirited away into databases unknown.