How Cambridge Analytica Harvested 87 Million Facebook Users

In the spring of 2018, one of the largest data breaches in internet history became public—not through an anonymous leak, but through a whistleblower willing to testify and journalists willing to investigate. The story that emerged from *The Guardian* and *New York Times* on March 17, 2018, exposed a systematic surveillance operation that had compromised the personal information of roughly one in three American Facebook users.

The operation itself was deceptively simple. Between 2013 and 2015, Cambridge Analytica, a British-headquartered political consulting firm, deployed a psychological survey app called "thisisyourdigitallife." Created by researcher Aleksandr Kogan, the app was straightforward: users installed it, answered questions, and received feedback on their personality.

But the real data collection operated on a different level. When someone installed the app, it didn't just gather their responses—it gained access to data from all of their Facebook friends as well. The app was installed by approximately 300,000 people, but through Facebook's permissive API (Application Programming Interface) design at the time, Cambridge Analytica captured information from roughly 87 million users who had never even interacted with the app.

**The Technical Vulnerability**

This breach reveals a critical flaw in how Facebook operated during the early-to-mid 2010s. The platform allowed third-party applications sweeping access to user data—a design choice that prioritized developer innovation over user privacy. Facebook's API permitted apps to retrieve not just a user's direct information, but data from their entire social network, with minimal oversight.