Two weeks ago, Facebook announced that 50 million users were affected, with the possibility of an additional 40 million, so the company reset the "access tokens" or digital keys of the 90 million accounts.
The breach forced users to log back into their accounts.
On Friday, the company said there were actually fewer users -- 30 million -- who were affected by the breach.
But the hackers went deeper into users' profiles than initially thought, the company also said Friday.
Nearly half of those impacted -- approximately 14 million users -- had their "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches," the company's vice president of product management Guy Rosen, wrote in a blog post.
These details were exposed sometime between Sept. 14 and Sept. 25 this year, when the company first discovered the security breach due to a sudden uptick in activity. But the software bugs made user information vulnerable from July 2017 to September 2018.
Previously, the company said only profile information exposed in the “View As” feature was accessed, which is basically a user’s name, gender and hometown.
From 400,000 to 30 million
The hackers didn't access all of the affected accounts immediately. The hack started with 400,000 profiles, then used the "Friends" and "Friends of Friends" features to get the "digital keys" for 30 million people, Rosen wrote.
Then, "for 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information," Rosen wrote.
For some users, the last four digits of their credit card could have been accessed, Rosen said in a follow-up call with reporters.
The information the hackers accessed include timeline posts, lists of friends, Facebook groups, and "names of recent Messenger conversations." The company said the actual content of the messages was not revealed unless "a person in this group was a Page admin whose Page had received a message from someone on Facebook, the content of that message was available to the attackers."
Rosen said Facebook is cooperating with the ongoing FBI investigation into the breach, but would not give any details on who the hackers were or where they were based.
"We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate," he added.
"For 1 million people, the attackers did not access any information," Rosen said.
To find out if your account has been affected, Facebook has provided this link. Scroll to the bottom.
This attack did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts, Rosen wrote.