Facebook further outlined the numbers relating to specific information accessed.
"Today's update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack", the Irish Data Protection Commission wrote on Twitter. He said Facebook is looking into the possibility of smaller scale attacks.
According to a company blog post, attackers found a vulnerability in the code and used Facebook's "View As" feature to steal access tokens created to allow people to stay logged in.
The company set up a website that its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen.
1 million lucky users were completely untouched by the incident. Colin Bastable, CEO of Lucy Security which focuses on cybersecurity prevention and awareness, painted an especially grim scenario.
"They can take that information and definitely parlay it into information that can scam the individual", he said.
He said the attack affected a "broad" spectrum of users, but declined to break down the number affected by country.
Last month, Facebook launched an investigation with the FBI and released a statement in response the the breach. The attackers then used the list of friends they collected to "eventually steal access tokens for about 30 million people".
Fortunately, this is pretty easy to find out. Both incidents could further fuel a congressional push for a national privacy law to protect U.S. users of tech company services. However, the Federal Bureau of Investigation requested the company keep the lid on that information.
The stolen data included search history, location data and information about relationships, religion and more. "The cost of inaction is growing and we need answers".
Once they had keys to accounts, hackers had the ability to get into them and control them as though they were the real owner.
Those tokens, which were stolen by taking advantage of three software bugs relating to the platform's View As profile feature, essentially allow an attacker to hijack the Facebook profiles of affected individuals. The vulnerability, Facebook said, had existed since July 2017.
The automated process the hackers used to target their Facebook friends would load their profiles through the "View As" tool, which let people see how their profiles looked to others. Up to 90 million people were logged out of their accounts and had those tokens reset as a result of the bug's discovery.
Turn on two-factor authentication whenever you can, but especially on your most sensitive or valuable accounts. Authorities in other jurisdictions including the USA states of CT and NY are also looking into the attack.
The breach was disclosed at the worst possible time for Facebook, which is grappling with a series of crises that have shaken user trust in the world's largest social network. Simply log into Facebook, and navigate to the Facebook Help Center.