Facebook cut the number of affected users from its original estimate after investigators reviewed activity on accounts that may have been affected. It allowed attackers to steal Facebook access tokens, which they could then use to take over people's accounts.
Facebook said it will send customised messages in the coming days to affected users to explain what information the attackers accessed and how they can protect themselves, including from suspicious emails, text messages or calls.
Facebook Vice President Guy Rosen told reporters the Federal Bureau of Investigation has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
But for users already uneasy about the privacy and security of their Facebook accounts after a year of tumult, the details that hackers did gain access to - including gender, relationship status, hometown and other info - might be even more unsettling.
Attackers did not access any information for the remaining one million users.
Facebook last month confirmed that several million accounts were hacked on its social media website and user data was stolen.
For 1 million hacked accounts, no information was retrieved.
"We will also work to contact people who may not be on Facebook any longer", he said.
The "view as" feature allows users to check their privacy settings by giving them a glimpse of what their profile looks like to others.
They had access to the information posted on the wall, groups, names of conversations and friends lists.
"It's clear that attackers exploited a vulnerability in Facebook's code", said Rosen.
The company said that it may still not know the full extent of the attack and wasn't ruling out the possibility of other "smaller-scale attacks" linked to the breach.
The breach, Facebook's worst ever, has exacerbated concerns among users, politicians and investors that the company is not doing enough to safeguard data, particularly in the wake of the Cambridge Analytica data scandal.
Security experts have said Facebook's initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union's General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise.
This particular Facebook security breach did not affect Messenger, Messenger Kids, Instagram, Whats App, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts.
At the time, CEO Mark Zuckerberg - whose own account was compromised - said attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.
The company said hackers were not able to access more sensitive information like password or financial information. The attackers then obtained access tokens for about 29 million users who were friends, or friends of friends, of these 400,000 seed accounts.