Earlier, Facebook had said that a security breach had affected the accounts of as many as 50 million people.
However, unlike other major hacks involving big companies, Facebook said it had no plans to provide protection services for concerned users.
The company set up a website that its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen.
In a call with reporters on Friday, Facebook vice president of product management Guy Rosen detailed the type of personal information attackers may have obtained in what was likely the biggest data breach in the social networking giant’s history.
The social media company announced the breach September 28 and said at the time 50 million users could have been exposed.
News of the hack emerged on 5 October when Facebook said it feared 50m users had been affected.
It explained that 50 million people’s access tokens are believed to have been affected, and that 30 million of those actually had their tokens stolen.
For one million of the token deprived, the attackers took no information. If your account was not compromised, you will see a message that reads “Based on what we’ve learned so far, your Facebook account has not been impacted by this security incident”.
That access let the attackers see the profile of each account, including the News Feed, what people would post to their timeline, names of recent Messenger conversations, and more.
Rosen reiterates that people’s accounts “have already been secured” by what Facebook did two weeks back when they prompted millions of users to reset the access tokens.
Facebook said last month that it detected the attack when it noticed an uptick in user activity. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app”, according to Facebook.
Instead, stolen data on 14 million users included birth-dates, employers, education and lists of friends. The attackers then used some of those 400,000 accounts to steal the access tokens from a total of 30 million users. The company added that people can check if they were affected by visiting the Facebook Help Center.
But while Facebook was able to lower the number of people affected, that’s cold comfort for the remaining 30 million.
Rosen would not say which specific countries were impacted by the hack or which entities Facebook suspects were behind it.
Facebook’s lead European Union data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach.
Once they had the tokens for the seed accounts, Rosen said the attackers used the tokens to access the 400,000 accounts and deployed scripts to harvest even more tokens at a larger and automated scale.
The attackers used the “view as” flaw to breach the accounts of their friends, then used a tool they developed to expand to friends of friends and beyond.