The social network addressed the September attack on Friday, saying in a statement that it is cooperating with the FBI, which is “actively investigating.”
Facebook added that the bureau has asked it not to discuss who may be behind the attack. When the social network first disclosed the hack two weeks ago, company officials said they didn’t know who was behind it or where they might be based.
It explained that 50 million people’s access tokens are believed to have been affected, and that 30 million of those actually had their tokens stolen.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” Facebook wrote.
The information that was gained by the hackers varied, with 15 million people having their name and contact details disclosed. An additional 14 million people had that information breached; as well as other details from their profile, including the device types they use to access Facebook, their education background, and employment data. The hackers did not access the information of the remaining one million people.
Facebook also stressed that the attack did not affect Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts.
The 30 million people who were affected will receive “customized messages” in the coming days, explaining what information the hackers might have accessed.
In the tech world, the term “access tokens” refers to digital keys that keep people logged in to sites so they don’t need to re-enter their password every time they want to use an app or website.
Facebook shares have dropped by 1.1 percent since the statement was released.