But for about half of those whose accounts were broken into-about 14 million people-the hackers accessed intimate information, such as the last 10 places that person checked into, their current city and their 15 most-recent searches, the company said Friday. Initially, Facebook said that 50 million accounts could be attacked, but they did not know exactly whether the unauthorized use of the data. While Facebook claims the message content was not available to attackers, even this could have been seen if the person was Page admin and had received a message from someone.
"There's not much more that Facebook can do", said Michael Pachter, an analyst with Wedbush Securities.
The attackers exploited a series of bugs on Facebook's platform.
The "view as" feature allows users to check their privacy settings by giving them a glimpse of what their profile looks like to others. This sort of personal detail can help identity thieves accomplish hacks for years into the future.
The company found out about the attack on September 25 and it took them two days to close the vulnerability by resetting the access tokens for people who were potentially exposed.
The breach, Facebook's worst ever, has exacerbated concerns among users, lawmakers and investors that the company is not doing enough to safeguard data, particularly in the wake of the Cambridge Analytica data scandal. While they procured access tokens for another one million Facebook users, the hackers did not steal any data in this case. Almost half of those 30 million also had other personal data accessed including the area where they live, their religious affiliation, relationship status and search history.
The attackers used the "view as" flaw with "a small handful" of accounts they controlled to capture data of their Facebook friends, then used a tool they developed to breach friends of friends and beyond, Rosen said.
Facebook said last month that it detected the attack when it noticed an uptick in user activity.
In a call with reporters on Friday, Facebook vice president of product management Guy Rosen detailed the type of personal information attackers may have obtained in what was likely the biggest data breach in the social networking giant's history.
Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack.
Facebook's lead European Union data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach. All the company is saying is that they are taking it seriously and working with the Federal Bureau of Investigation and other agencies to investigate. From there, they used an automated technique that gave them access to the friend's list, which allowed them to move from one account to the next and access the tokens, which eventually led to the attackers gaining control of 400,000 accounts. The company does note that it is not ruling out "small-scale attacks", either, and is investigating.