SAN FRANCISCO • Most of Facebook's two billion users likely have had their public profiles scraped by outsiders without the users' explicit permission, dramatically raising the stakes in a privacy controversy that has dogged the social media giant for weeks, spurred investigations in the United States and Europe, and sent the company's stock price tumbling.

The company said it has now moved to get rid of a feature that lets users enter phone numbers or e-mail addresses into Facebook's search tool to find other people.

The function was being used by malicious actors to scrape public profile information, it said. "Given the scale and sophistication of the activity we have seen, we believe most people on Facebook could have had their public profile scraped in this way," the compnay said on Wednesday. "So, we have now disabled this feature."

The acknowledgement was part of a broader disclosure by Facebook about the ways in which various levels of user data have been taken by everyone from malicious actors to ordinary app developers.

Chief executive Mark Zuckerberg said in a call with reporters: "We are an idealistic and optimistic company, and for the first decade, we were focused on all the good that connecting people brings.

"But it is clear now that we didn't focus enough on preventing abuse and thinking about how people could use these tools for harm as well."

As part of the disclosure, Facebook for the first time detailed the scale of the improper data collection for Cambridge Analytica, a political data consultancy hired by United States President Donald Trump and other Republican candidates in the last two federal election cycles.

The political consultancy gained access to Facebook information on up to 87 million users, 71 million of whom are Americans, Facebook said. Cambridge Analytica obtained the data to build "psychographic" profiles that would help deliver targeted messages intended to influence voters.

But in research sparked by revelations from a Cambridge Analytica whistle-blower last month, Facebook determined that the problem of third-party collection of user data was far larger and, with the company's massive user base, likely affected a large cross-section of people in the developed world.

The scraping by malicious actors typically involved gathering public profile information - including names, e-mail addresses and phone numbers, according to Facebook - by using a "search and account recovery" function that Facebook said it has only now disabled.

The data obtained by Cambridge Analytica was more detailed and extensive, including names, home towns, work and educational histories, religious affiliations and "likes" of users, among other data.

With its moves over the past week, Facebook is embarking on a major shift in its relationship with third-party app developers that have used Facebook's vast network to expand their businesses.

What was largely an automated process will now involve developers agreeing to "strict requirements", the company said.

Developers who in the past could get access to people's relationship status, calendar events, private Facebook posts and much more data will now be cut off from access or be required to endure a much stricter process for obtaining the information.

Facebook is, however, not limiting the data the company itself can collect, nor is it restricting its ability to profile users to enable advertisers to target them with personalised messages.

One piece of data Facebook said it would stop collecting was the time of phone calls, a response to outrage from users of Facebook's Messenger service who discovered that allowing Facebook to access their phone contact list was giving the company access to their call logs.

