Facebook was warned by security researchers that attackers could abuse its phone number and email search facility to harvest people’s data.
On Wednesday, the firm said “malicious actors” had been harvesting profiles for years by abusing the search tool.
It said anybody that had not changed their privacy settings after adding their phone number should assume their information had been harvested.
One security expert told the BBC the attack had been possible “for years”.
How did the attack work?
Until Wednesday, Facebook let people search for their friends’ profiles by typing in a phone number or email address.
But it said scammers had abused the facility and used it to link phone numbers and emails to people’s names and profile information.
An attacker could type in any phone number – even one they had made up by guessing – and link it to a person’s profile. Often this would reveal their name, location and other profile information.