On Wednesday, Facebook CEO Mark Zuckerberg finally commented about the role Facebook played in Cambridge Analytica’s harvesting of 50 million Facebook users’ private information. From his personal account, Zuckerberg admitted that Facebook had let users down by not protecting their data from third parties, and vowed to set up checks and balances to ensure that something like it never happens again.

“The good news is that the most important actions to prevent this from happening again today we have already taken years ago,” he said. The bad news, however, is that before Facebook took those actions, we still don’t know how many apps similar to the one utilized by Cambridge Analytica could have also been amassing a shocking amount of private user data.

Related: Delete Facebook? What to Know Before You Do It

Zuckerberg says Facebook now intends to investigate all apps that had access to large amounts of information before the company changed its platform to dramatically reduce data access in 2014, presumably in order to ensure that they didn’t share that data with third parties — which is against Facebook’s rules. But that’s seven years worth of time during which third-party apps could acquire data from users who opted in, as well as data about their friends. “Thisisyourdigitallife,” an app developed by a University of Cambridge professor, did just that. The information culled by “Thisisyourdigitallife” was eventually passed on to Cambridge Analytica, who then sold the data to President Donald Trump’s presidential campaign in order to target voters.

On top of reviewing the apps using Facebook before 2014, Zuckerberg says Facebook will conduct a full audit of any app with “suspicious activity,” although he did not elaborate on what that might be. “If we find developers that misused personally identifiable information, we will ban them and tell everyone affected by those apps. That includes people whose data Kogan misused here as well,” he said.

Facebook is also taking steps to limit the amount of data apps can acquire from users to their name, profile photo and email address. For anything more, “We’ll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data,” he said.

The site is also adding a tool at the top of the News Feed that will show you the apps you use and allow you the chance to opt out. This already exists, but it’s been buried in users’ privacy settings, leaving it to possibly go unnoticed.

Zuckerberg said there would be more changes to come in the next few days. While the news of definitive action from Facebook’s CEO is a good sign, if their investigation is truly transparent, it’s possible we could learn that Cambridge Analytica is just the tip of the iceberg.

Meanwhile, Facebook’s stock dropped sharply after the news of the massive data breach was published by The New York Times.

Facebook stock before and after the Cambridge Analytica data breach story was published.
Facebook stock before and after the Cambridge Analytica data breach story was published.

In addition to the Facebook statement, Zuckerberg will be interviewed by CNN’s Anderson Cooper at 9 p.m. Eastern on Wednesday night.

Here’s Zuckerberg’s full statement: