As the number of people affected by the Cambridge Analytica data breach has grown over the last several weeks — first said to be 50 million users, and then on Wednesday, estimated at 87 million. A new number is now emerging to describe the true reach of Facebook’s data problem: 2 billion.

That’s the total number of users on Facebook worldwide, and the company is now saying that bad actors have likely taken advantage of the site’s search tools to potentially cull the data of any user on the site.

How Did We Get Here?

On Wednesday, Facebook’s Chief Technology Officer Mike Schroepfer posted a corporate blog post on the platform updating users on Facebook’s plan to combat the Cambridge Analytica scandal, as well as to announce that a tool will be added in the news feed on Monday that will allow users to see what data they have shared with apps, including Cambridge Analytica.

Most of the post details the ways in which Facebook plans to implement checks and balances on third-party apps’ abilities to access data, by acquiring more levels of approval from group admins and Facebook itself, for example.

But one of the most troubling revelations in Schroepfer’s post is that the search function on Facebook has also been used by malicious actors to acquire personal information from the user’s public profiles.

How Do Bad Actors Gain Information?

Schroepfer’s post is rather vague, but according to The Washington Post, bad actors who harvested phone numbers or email addresses on the Dark Web from other data breaches could then feed that info into Facebook’s search bar and retrieve the profiles of users. Until Wednesday, Facebook’s search function had allowed users to plug in a phone number or an email address instead of a name in order find friends. The rational here was that many people around the world have the exact same name, so using email addresses and phone numbers for search was an effective workaround. Schroepfer announced that that will no longer be possible, but the damage is done.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way,” he said.

Technically, anybody — bad actors or not — could easily find a profile via a phone number, see a photo of a person, and ascertain a person’s whereabouts if they’ve disclosed their location. But that’s also the kind of information that can help identity thieves build credible fake profiles of real people. Shroepfer didn’t provide further information about what kind of bad actors may have harvested users’ public photos and hometowns. But as Mark Zuckerberg is set to testify before Congress on Wednesday, lawmakers might be interested in parsing out more details from the company’s CEO.