An internal investigation at Facebook found that hackers broke into the accounts of about 30 million users, not 50 million as the company originally feared — but that many of those affected had reams of vital personal data stolen.
The social media giant, embroiled in a series of controversies and facing heavy Washington scrutiny, provided an update on the investigation in a blog postFriday.
“For 15 million people, attackers accessed two sets of information — name and contact details (phone number, email, or both, depending on what people had on their profiles),” wrote Guy Rosen, Facebook’s vice president of product management. “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.”
Those other details, he said, included people’s location, gender, relationship status, and recent search and location information. Hackers commandeered the accounts of an additional million people but didn’t access any of their information, Rosen said.
Facebook revealed the breach in late September, resetting login sessions for a total of 90 million users as a precautionary measure. The attackers exploited a vulnerability in Facebook’s “View As” feature, which lets users see what their profiles look like to other people. Facebook on Friday reiterated that the attack didn’t affect third-party apps or Facebook-owned services like Messenger, Messenger Kids, Instagram and WhatsApp.
In a call with reporters Friday, Rosen said the company doesn’t know the purpose of the hack. He declined to offer a breakdown of where affected users are located.
Rosen also said Facebook is preparing additional customized notifications for affected users in the coming days and is supplying additional information in its help center. Facebook will try to notify any affected users who have deleted or abandoned their accounts, he said, though the company has been notifying users primarily through the platform itself.
Facebook has not ruled out possible “smaller-scale attacks” exploiting the vulnerability, which is still under investigation, Rosen added.
The Irish Data Protection Commission already announced a probe on behalf of the EU, and U.S. lawmakers have slammed Facebook over the breach.
Facebook will continue to cooperate with the FBI, Federal Trade Commission and Irish regulators, Rosen wrote in the blog post.