The US Federal Trade Commission will investigate Facebook over how private data on millions of users was given to Cambridge Analytica.
The social network has been criticised for letting the analysis firm scoop up data on 50 million users.
The information is believed to have been used to help Donald Trump’s 2016 campaign for US president.
The FTC said its probe would determine whether Facebook had “failed” to protect users’ privacy.
News of the FTC probe, which former FTC officials say could trigger fines in the trillions of dollars – sent shares down 6.5% in afternoon trading in New York before they recovered slightly.
- Facebook boss apologises in newspaper ads
- How to protect your Facebook data
- If I’ve got your number, so has Facebook
Tom Pahl, acting director of the FTC’s Bureau of Consumer Protection, said it took the reports about user data going astray “very seriously”.
He said the FTC regularly took “enforcement action” against firms that caused substantial injury to consumers by breaking laws that govern how personal information should be kept safe.
Facebook is required by law to notify users and get their permission before data is shared beyond their preferred privacy settings in what is known as the “consent decree”.
David Vladeck, the former director of the FTC’s Bureau of Consumer Protection, said that the penalty for each violation of the consent decree is $40,000.
If the data of 50 million people were indeed compromised, the social network’s financial exposure to fines could run into trillions of dollars, Mr Vladeck told the Washington Post.
Rob Sherman, deputy chief privacy officer for Facebook, told CNBC it would“appreciate the opportunity to answer questions the FTC may have”.
The data was grabbed via an app that let people take a personality quiz. Although only 270,000 people completed the quiz, the app was able to exploit the way Facebook held data to get at information about millions more.
Facebook says it has changed its rules on user consent to stop other third parties harvesting data in the same way.
Also on Monday, a bipartisan group of attorneys general representing 37 US states wrote a joint letter to Facebook demanding answers to what led to the breach and how the company allowed it to happen.
“As the chief law enforcement officers of our respective states, we place a priority on protecting user privacy, which has been repeatedly placed at risk because of businesses’ failure to properly ensure those protections,” the group wrote.
The social network is also facing a probe by UK data protection regulators and the European Commission.
The announcement comes after Facebook placed adverts in US and UK newspapers apologising for losing control of the data.
In the ads, Facebook boss Mark Zuckerberg said the company could have done more to stop the data on millions of users going astray.
“This was a breach of trust, and I am sorry,” the back-page ads said.
The company said it was taking steps to ensure the same type of data loss could not happen again.
In separate development, the Republican chairman of a powerful senate committee said that he had invited Mr Zuckerberg to testify to a hearing next month “regarding the protection and monitoring of consumer data”.
Senator Chuck Grassley, chairman of the upper chamber’s judiciary committee, said he had also invited representatives from Twitter and Google to discuss “how such data may be misused or improperly transferred and what steps companies like Facebook can take to better protect personal information of users and ensure more transparency in the process”.
Mr Grassley’s panel is the third US congressional committee to seek out Mr Zuckerberg’s testimony in the wake of the Cambridge Analytica scandal, the Associated Press reports.