When the social media giant first reported the breach two weeks ago, it said that up to 50 million accounts could have been impacted. On Friday it downgraded that figure to 30 million, but the scale of the information the hackers accessed was much worse than initially reported.
Along with basic details like email address and phone number, the hackers gained access to personal data like who or what users were searching for on the platform. And for a subset of 14 million Facebook accounts, the outlook gets very grim: Hackers accessed deeply personal information, including relationship status, religion, hometown, self-reported current city, birthdate, and the device types used to access Facebook.
Facebook also admitted hackers had access to the last 10 places users checked in to or were tagged in, the people or Pages they follow, and their 15 most recent searches.
The company revealed that it took them 13 days from discovering the breach on Sept. 14 to closing the vulnerability on Sept. 27.
Guy Rosen, Facebook’s vice president of product management, told reporters on a conference call that the company could not give any details about who was behind the attack or where they were, at the request of the FBI, which is actively investigating the hack.
The company said it’s also working with the FTC and the Irish Data Protection Commissioner. Facebook’s international headquarters are based in Dublin.
Facebook has already forced affected users to reset their logins in order to void the access tokens the hackers stole, but the breach could have long-lasting privacy consequences for the 14 million users most affected.
To see if you've been affected, visit the Facebook Help Center here.
Cover image: Facebook says hackers accessed data from 30 million accounts as part of the security breach disclosed two weeks ago. (AP Photo/Ben Margot, File)
This article originally appeared on VICE News.