Facebook Says Hackers Accessed Sensitive Personal Information on 29 Million Users

Late last month, Facebook disclosed a massive security vulnerability that it claimed affected some 50 million login tokens, but details were somewhat thin on its impact pending further investigation. In a blog post today, the results are in some ways better and worse.

The company believes its initial estimate of 50 million compromised login tokens—it reset 90 million in total as a cautionary measure—was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million. That’s the good news, if you can call it that.

For 400,000 of the accounts, which these attackers used to seed the process of gathering login tokens, personal information, such as “posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations” and, in one instance, actual message content, were compromised. Of the 30 million ensnared in the attack, Facebook believes that for around half, names and contact information—meaning phone numbers, email addresses, or both—were visible to the attackers; 14 million of that pool had that same information accessible as well as myriad other personal details, which Facebook believes could contain any of the following:

[U]sername, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches

Facebook believes only 1 million of the total compromised accounts had no personal information accessed whatsoever.

Guy Rosen, Facebook’s Vice President of Product Management, is expected to further clarify this update this afternoon. We’ll update this post as details become available.