Following the scandal that left pie all over Mark Zuckerberg’s face, the Facebook Inc. chief executive and his closest executives have come clean regarding the extent of data harvesting — and it’s worse than you thought.

In short, the company said in the biggest disclosure about its data practices yet, just about all of Facebook’s 2.2 billion users have probably seen their data harvested in some way by “malicious actors.”

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” said Facebook Chief Technology Officer Mike Schroepfer. The admission relates to the search feature whereby people on the platform can be found via their phone number or email address, a feature that apparently was widely abused.

That feature has now been disabled, and Zuckerberg (pictured) offered a candid response to the criticism that followed the revelation. “I would assume if you had that setting turned on that someone at some point has access to your public information in some way,” he said in an interview.

What this essentially means is that someone — a government, a hacker or another malicious actor — could have access to any number of Facebook users’ public profiles. A hacker, according to Facebook, could get hold of a phone number and then proceed to gather information on a user. This process, if automated, could mean easy access to hundreds of thousands of people, giving hackers tools to commit identify theft and fraud.

Zuckerberg admitted that this automated scraping has occurred. “We did see a number of folks who cycled through … hundreds of thousands of IP addresses to evade the rate-limiting system, and that wasn’t a problem we really had a solution to,” he said in a Q&A session Wednesday. Facebook turned off the feature, leaving users astounded at the news that they should just assume that their data could have been compromised.

Chief Operating Officer Sheryl Sandberg issued her own admission in interviews, stating that Facebook had not invested enough in security. “We made mistakes and I own them and they are on me,” she said. “There are operational things that we need to change in this company and we are changing them.”

Talking about the 87 million users whose data was “improperly shared” with analytics firm Cambridge Analytica, Sandberg said, “It was a mistake for Mark and me not to speak out earlier and faster. We wanted to make sure we knew exactly what happened.”

In the Q&A, Zuckerberg alluded to the company’s growing pains: “When you are building something like Facebook that is unprecedented in the world, there are going to be things that you mess up.” It’s no surprise, then, that Facebook today said it has paused a program to work with hospitals in the U.S. to exchange anonymized data with health organizations in the name of medical research.

Image: Andrew Felnberg via Flickr