Up to 87 million people may have had their Facebook data improperly passed to a third-party political firm – and most users’ public profile information could have been collected, the social media company has revealed.

Initial accounts estimated the number of people affected at around 50m. But Facebook updated that number to say information from as many as 37m additional users could been shared with Cambridge Analytica. And it warned in a blog post that a now-discarded feature meant “most people on Facebook” could have had their public data scraped by “malicious actors”.

The revelations expanded the scope of a privacy scandal besieging the company just days ahead of CEO Mark Zuckerberg’s hotly anticipated appearance before Congress. 

It had already been revealed that researcher  harvested information encompassing a vast number of Facebook users and then passed it on to Cambridge Analytica, a company that went on to work for Donald Trump’s presidential campaign. The news has sent the company’s stock plunging and stoked a political outcry on both sides of the Atlantic.

Facebook said it would inform users if their information had been funnelled to Cambridge Analytica. It said roughly 70 million of those users were in the United States.

And in seeking to reassure users that it was moving to safeguard their personal information, the company made an extraordinary disclosure: chief technology officer Mike Schroepfer said the majority of its users were vulnerable to abuse of a now-disabled feature allowing people to search for other users with phone numbers and email addresses.

“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way”, Mr Schroepfer said in the blog post.

In addition to announcing it would scrap that ability, Facebook laid out a series of more stringent data-protection measures to restrict the information third-party apps can draw from events, groups and pages. Those steps built on previously announced changes limiting the data third-party apps can access.

It also detailed tougher rules on granting apps’ access to information including check-ins and likes and said it would bar access to personal information like workplace history and religious affiliation.

The changes come as Facebook confronts tremendous pressure to account for the Cambridge Analytica scandal and demonstrate it is fortifying its user safeguards. Multiple executives have said they would be open to further regulation, and Mr Zuckerberg is expected to appear before Congress next week.

While Facebook has said no data was breached, faulting Mr Kogan for passing data to Cambridge Analytica and both parties for failing to destroy the information, the controversy has extended a tumultuous year of political scrutiny and mounting anger for the social media giant.

The company spent much of 2017 explaining how Russian-linked operatives exploited the platform to disseminate misinformation and foment division, boosting inflammatory content with advertising.

Facebook’s pledge to inform users whose information was passed to Cambridge Analytica echoed its response last year to revelations of Russian interference, in which Facebook rolled out a tool to inform users who had interacted with Russian-generated content.

As many as 126m users may have come across Russian-linked content, Facebook ultimately said, a far greater figure than what was initially disclosed.