The platform reports that around 30 million users have had their login tokens stolen.
The company's initial estimate was that the recent attack affected nearly 50 million accounts, a number it revised down on Friday. Facebook says the problem has been fixed.
Of the identified 30 million that had their token stolen in September, 2018, one million remained unaffected by any malicious activity. As a precaution, it also turned off View As.
Among the 30 million unlucky users, there are 1 million lucky ones - those whose accounts were compromised without any personal information taken.
"Now clearly these episodes tell us that Facebook has not done enough that it should have done for the purposes of protecting the sensitive personal data and personal information of its users". It's a pretty extensive list: user name, gender, locale or language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places you checked into or were tagged in, your website, people or Pages you follow and your 15 most recent searches. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.
'First, the attackers already controlled a set of accounts, which were connected to Facebook friends.
Regulators around the world have ongoing inquiries into another matter that came to light in March: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.
Of course, you can't change the fact that your information is now in the hands of strangers.
Guy Rosen, Facebook's vice president of product management, said on a conference call with reporters that the FBI was investigating the attack and had asked the company not to share certain information, such as possible suspects, that might compromise the investigation.
"This doesn't sound very targeted at all", he said.
Rosen also said that the attack "did not include Messenger, WhatsApp, Instagram, Messenger Kids, Workplace, Oculus, payments, developer accounts, advertising, third-party apps or pages". The company said it hasn't ruled out the possibility of smaller-scale attacks that used the same vulnerability. "Usually when you're looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they're going after".