Facebook didn't respond to a request for comment, and Rosen declined to provide specific details on the attackers because the FBI is investigating the breach. He said attackers initially used accounts under their direct control, which they had likely created, to exploit the vulnerability in the "View As" feature and steal tokens for the friends of those original accounts.
Facebook also stressed that the attack did not affect Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.
Facebook dives into how it tracked down the attack in the first place in the blog post, but ultimately says that 30 million individuals were affected by the breach. And for 14 million more people, the hackers were able to get a lot more information, like username, gender, relationship status, religious, birthday, and a ton of other information including things you've searched for.
Facebook said engineers discovered a breach on September 25 and had it patched two days later.
"The resources we are pointing people toward are based on the actual types of data accessed - including the steps they can take to help protect themselves from suspicious emails, text messages, or calls", the spokeswoman said.
It said: 'On the afternoon of Tuesday, 25 September, our engineering team discovered a security issue affecting nearly 50 million accounts.
The Federal Trade Commission - which Facebook said it is cooperating with - didn't immediately respond to a request for comment. The other million people didn't have any information stolen.
User messages could have been exposed in one specific use case, officials said.
Twenty-nine million Facebook users had their accounts accessed by hackers.
The breach was the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had their personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016. If an affected user had been the administrator of a Facebook page, and the page had received a message from another user, that message may have been compromised, Facebook said.
Facebook did not rule out the possibility of smaller-scale attacks and said it would continue to investigate.
Ultimately, they stole sensitive personal information from 14 million accounts, including birth dates, recent search history and the last 10 locations where users were tagged.