Facebook was warned by security researchers that attackers could abuse its phone number and email search facility to harvest people’s data.
On Wednesday, the firm said “malicious actors” had been harvesting profiles for years by abusing the search tool.
It said anybody that had not changed their privacy settings after adding their phone number should assume their information had been harvested.
One security expert told the BBC the attack had been possible “for years”.
How did the attack work?
Until Wednesday, Facebook let people search for their friends’ profiles by typing in a phone number or email address.
The company has now disabled the ability to search by phone number.