Up to 87 million people had their Facebook data harvested for political profiling. The number who consented: roughly 270,000. And even they thought they were taking a personality quiz for academic research.

The gap between those two numbers is the entire scandal. And the mechanism that created it wasn’t a hack, a breach, or a rogue employee. It was a feature Facebook designed on purpose.

Key Takeaways

  • 270,000 quiz takers unlocked up to 87 million profiles: Facebook’s Graph API v1 let apps harvest data from users’ entire friends lists. By design, not by breach.
  • Facebook knew in December 2015: The Guardian reported the data operation then, but Facebook never audited the deletion it demanded and told no users for over two years.
  • The story broke on March 17, 2018, when whistleblower Christopher Wylie went public; Facebook lost more than $100 billion in market value within days.
  • The FTC fined Facebook a record $5 billion in July 2019, alongside a $100 million SEC settlement and a £500,000 UK fine, the maximum allowed under pre-GDPR law.
  • Facebook later agreed to pay $725 million to settle a user class action, the largest data-privacy settlement in US history.
  • Cambridge Analytica was dead within weeks: it filed for insolvency on May 2, 2018, roughly seven weeks after the story broke.

How Did a Personality Quiz Harvest 87 Million Profiles?

Through a door Facebook built on purpose: under Graph API v1, an app could request data not only from its own users but from their entire friends lists, so roughly 270,000 quiz takers were enough to expose tens of millions of people who never touched the app.

In 2013, a Cambridge University researcher named Aleksandr Kogan built an app called thisisyourdigitallife through his company Global Science Research. It paid users a small fee, recruited largely through online task platforms, to take a personality test, and they consented, in fine print, to collecting their Facebook data “for academic use.”

The science behind it wasn’t invented in a bunker. Researchers at Cambridge University’s Psychometrics Centre had already shown, in peer-reviewed work, that Facebook likes alone could predict personality traits, politics and sexual orientation with unsettling accuracy. Kogan’s app industrialized the idea: match a personality questionnaire to a user’s Facebook data, and you can infer the personalities of millions who never answered a single question.

About 270,000 people took it. Under the platform rules of the era, that was all it took: Facebook’s Graph API v1 allowed an app to pull data not only from its users but from their friends (likes, locations, interests, relationship data), people who had never seen the app, let alone agreed to anything.

Kogan passed the resulting dataset to Cambridge Analytica, a political consultancy founded in 2013, bankrolled with a reported $15 million from hedge-fund billionaire Robert Mercer and steered by Steve Bannon, who, by most accounts, chose the firm’s name. That transfer violated Facebook’s terms. The collection itself, chillingly, mostly didn’t.

The Machine Built on Top

Cambridge Analytica’s pitch to campaigns was “psychographics”: score millions of voters on personality traits, then hit each cluster with the messaging most likely to move them: fear for the anxious, anger for the aggrieved. The firm worked on the Ted Cruz campaign, then the 2016 Trump campaign, and boasted about its role in Brexit-adjacent efforts.

How decisive psychographics actually were remains debated by researchers. What isn’t debated is what the firm had: intimate behavioral data on a scale no political operation had ever possessed, gathered without meaningful consent.

“We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons.” (Christopher Wylie, Cambridge Analytica whistleblower)

The firm’s swagger helped finish it off. In March 2018, Britain’s Channel 4 aired undercover footage of CEO Alexander Nix appearing to boast to a would-be client about entrapment tactics: bribes, operatives, compromising situations. He was suspended within days, and the company’s remaining credibility evaporated with him. That same month, UK investigators executed a warrant on Cambridge Analytica’s London offices, and its executives were hauled before Parliament, where their answers, by most accounts, raised more questions than they settled.

When Did Facebook Know About Cambridge Analytica?

December 2015. That’s when The Guardian first reported that the Cruz campaign was using psychological profiles built from millions of Facebook users’ data, nearly two and a half years before the scandal exploded.

Here’s the part that turned a data story into a trust story. Facebook’s response to that 2015 report: it quietly removed Kogan’s app, sent letters demanding the data be deleted, and took everyone’s word that it had been. No audit. No user notification. Nothing, until whistleblower Christopher Wylie went public in March 2018 with proof the data had never gone away.

DateEvent
2010Facebook launches Graph API v1, exposing friends’ data to apps
2013Kogan’s quiz app begins harvesting profiles
2014Facebook announces API changes, giving existing apps a year of continued friend-data access
Dec 2015Guardian report; Facebook demands deletion, doesn’t verify
Mar 2018Wylie goes public; #DeleteFacebook trends; $100B+ market value evaporates
Apr 2018Zuckerberg testifies before Congress
Jul 2019FTC issues a record $5 billion penalty

What Did the Scandal Cost Facebook?

Roughly $6 billion in fines and settlements, two days of congressional testimony, and the end of the era when platforms could treat user data as free raw material. But not a dent in its dominance.

PenaltyAmountYear
FTC settlement, a record for a privacy case$5 billion2019
SEC settlement over investor disclosures$100 million2019
UK Information Commissioner’s fine, the statutory maximum£500,0002018
US user class-action settlement$725 million2022

Facebook’s crisis response set the tone. Zuckerberg stayed silent for days after the story broke (an eternity, mid-firestorm) before conceding a “breach of trust” and taking out full-page apology ads in American and British newspapers. Then, in April 2018, he spent roughly ten hours over two days testifying before Congress, hearings remembered less for accountability than for lawmakers’ unfamiliarity with the product, distilled in Zuckerberg’s deadpan explanation of his business model: “Senator, we run ads.”

The timing compounded everything. Europe’s GDPR took effect on May 25, 2018, weeks after the story broke, turning Cambridge Analytica into the founding case study of the data-regulation era. Had the conduct fallen under the new law, the maximum fine would have been measured in billions, not thousands. The 2019 documentary The Great Hack fixed it in popular memory.

And yet the business barely blinked. Facebook’s revenue and profits kept climbing; the $5 billion fine, historic on paper, was absorbed out of a single quarter’s earnings.

The Critical Choice

The critical choice predates Kogan, Wylie and Cambridge Analytica entirely. Around 2010, Facebook decided that apps on its platform could read the data of users’ friends, people with no relationship to the app at all. Internally, this was growth strategy: developers got rich data, built engaging apps, and made Facebook indispensable. Privacy was the currency, and Facebook was spending other people’s.

Every scandal needs a door left open. Graph API v1 wasn’t a door left open. It was a loading dock, built to spec, with the lights on. The 2015 decision to accept deletion promises without verification merely guaranteed that when the bill came due, it would come with interest.

What Happened Next

Cambridge Analytica died in 2018; Facebook did not. The FTC’s $5 billion fine was absorbed in a quarter, Graph API v1 was long gone, and the company, now Meta, grew larger than ever. The individuals scattered: Kogan has insisted he was scapegoated for practices Facebook knew about, Nix later accepted a multi-year UK directorship ban, and Cambridge Analytica alumni resurfaced at successor data firms within months of the insolvency. The deeper legacy is that “your data was used against you” entered mainstream politics, and platform data access has been tightening ever since. The threat model simply moved: from permissive APIs to insiders selling customer data outright. For what happens when a platform’s founder becomes the story, see Elon Musk’s $44 billion Twitter takeover, and for more stories like this one, browse the Big Tech investigations.