Facebook Inc. revealed that access tokens of about 30 million users were stolen in a data breach in September, fewer than the social media giant's initial estimate of 50 million.
Of the roughly 30 million users, 14 million were the most affected. They had their usernames and contact details accessed, along with data such as their gender, religion, and relationship status, as well as the last 10 places they checked into and 15 most recent searches. Some 15 million other users had just their names and contacts accessed, and the remaining 1 million had no information accessed.
Facebook's vice president, Guy Rosen, said the hackers exploited a weakness in the social network's code related to its "View As" feature between July 2017 and September 2018, allowing the theft of access tokens, digital keys that keep users logged in to Facebook.
Rosen added that a sharp increase in activity on Sept. 14 led to the discovery of attacks on Sept. 25, which the company said they stopped within two days. The "View As" feature was subsequently disabled as part of a security review.
Facebook also noted that the attacks did not affect Facebook Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
"As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we'll continue to cooperate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities," the company added.
The social media giant may face fines of up to $1.63 billion by an EU privacy watchdog. It is also facing a class-action suit filed in a court in northern California over the hack.