Facebook: It wasn’t 50M hit by Cambridge Analytica breach, but rather 87M

Also, Facebook will now delete all call and SMS logs older than one year.

In a new blog post published Wednesday morning, Facebook announced that even more people—beyond the initial 50 million—have been affected by the Cambridge Analytica scandal.

At the end of a lengthy piece, authored by Facebook CTO Mike Schroepfer, the company said simply: "In total, we believe the Facebook information of up to 87 million people—mostly in the US—may have been improperly shared with Cambridge Analytica."

Last month, the British data analytics contractor which worked with Donald Trump's presidential campaign retained private data from 50 million Facebook users despite claiming to have deleted it. The scandal has spawned numerous lawsuits, and it has put significant pressure on Cambridge Analytica and Facebook.

Thus far, Cambridge Analytica and its affiliate companies have claimed that they did nothing wrong. The London offices were raided on March 23 by local investigators.

In the blog post, Schroepfer also announced a number of changes to Facebook's use of customer data, including the collection of phone calls and SMS messages revealed by Ars Technica last week.

Schroepfer reiterated Facebook's previous statement that users had given permission for that data to be collected, writing: "Call and text history is part of an opt-in feature for people using Messenger or Facebook Lite on Android."

Ars Video

The data was used to "surface the people you most frequently connect with at the top of your contact list," Schroepfer said.

While the calls themselves and SMS message contents were not captured, the time of messages and the time and length of phone calls was recorded by Facebook. Schroepfer said that Facebook will now delete all call and SMS logs older than one year.

"In the future," he wrote, "the [Messenger and Facebook Lite] client will only upload to our servers the information needed to offer this feature—not broader data such as the time of calls."

He also added that until today, it was possible to search for a person's phone number or email address to find them.

"However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery," he added. "Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature. We’re also making changes to account recovery to reduce the risk of scraping as well."

There were also other changes announced, including yanking any given app's access to "personal information such as religious or political views, relationship status and details, custom friends lists, education and work history, fitness activity, book reading activity, music listening activity, news reading, video watch activity, and games activity. In the next week, we will remove a developer’s ability to request data people shared with them if it appears they have not used the app in the last 3 months."

CEO Mark Zuckerberg is scheduled to speak via phone conference with reporters, including Ars, at 1pm Pacific Time on Wednesday.