Facebook claims the data of up to 87 million people was improperly shared with the political consultancy Cambridge Analytica – many more than previously disclosed.
The BBC has been told that about 1.1 million of them are UK-based.
The overall figure had been previously quoted as being 50 million by the whistleblower Christopher Wylie.
Facebook chief Mark Zuckerberg said “clearly we should have done more, and we will going forward”.
During a press conference he said that he had previously assumed that if Facebook gave people tools, it was largely their responsibility to decide how to use them.
But he added that it was “wrong in retrospect” to have had such a limited view.
“Today, given what we know… I think we understand that we need to take a broader view of our responsibility,” he said.
“That we’re not just building tools, but that we need to take full responsibility for the outcomes of how people use those tools as well.”
Mr Zuckerberg also announced an internal audit had uncovered a fresh problem. Malicious actors had been abusing a feature that let users search for one another by typing in email addresses or phone numbers into Facebook’s search box.
As a result, many people’s public profile information had been “scraped” and matched to the contact details, which had been obtained from elsewhere.
Facebook has blocked now blocked the facility.
“It is reasonable to expect that if you had that [default] setting turned on, that in the last several years someone has probably accessed your public information in this way,” Mr Zuckerberg said.
The estimates of how many people’s data had been exposed were revealed in a blog by the tech firm’s chief technology officer, Mike Schroepfer.
Cambridge Analytica licensed data from GSR for 30 million individuals, not 87 million. We did not receive more than 30 million records from research company GSR.
— Cambridge Analytica (@CamAnalytica) April 4, 2018
The BBC has also learned that Facebook now estimates that about 305,000 people had installed the This Is Your Digital Life quiz that had made the data-harvesting possible. The previously suggested figure had been 270,000.
About 97% of the installations occurred within the US. However, just over 16 million of the total number of users affected are thought to be from other countries.
A spokeswoman for the UK’s Information Commissioner’s Office told the BBC that it was continuing to assess and consider the evidence before deciding what steps to take.
What is the controversy about?
Facebook has faced intense criticism after it emerged that it had known for years that Cambridge Analytica had collected data from millions of its users, but had relied on the London-based firm to self-certify that it had deleted the information.
Cambridge Analytica said it had bought the information from the creator of the This Is Your Digital Life app without knowing that it had been obtained improperly.
The firm says it deleted all the data as soon as it was made aware of the circumstances.
But Channel 4 News has since reported that at least some of the data in question is still in circulation despite Cambridge Analytica insisting it had destroyed the material.
During Mr Zuckerberg’s press conference, Cambridge Analytica tweeted it had only obtained data for 30 million individuals – not 87 million – from the app’s creator, and again insisted it had deleted all records.