MENLO PARK (CNN) — Almost 30 million Facebook users’ phone numbers and email addresses were accessed by hackers in the biggest security breach in the company’s history, Facebook said Friday. The attackers accessed even more details on 14 million of those users, including the area where they live, their relationship status, their religion, and part of their search history.
The FBI is “actively investigating” the breach, Guy Rosen, a Facebook vice-president, told reporters on a call Friday. He said the FBI has asked the company”not to discuss who may be behind this attack” or to share other details that could compromise its investigation.
The company said that it may still not know the full extent of the attack and wasn’t ruling out the possibility of other “smaller-scale attacks” linked to the breach. The company said it will continue to investigate “other ways the people behind this attack used Facebook.”
The new details come two weeks after Facebook first announced that attackers had access to 50 million users’ accounts — meaning they could have logged in as those users. Facebook said on Friday that, “We now know that fewer people were impacted than we originally thought,” and said that 30 million people had been impacted.
For the 14 million worst hit by the breach, the attackers were able to access the following information, Facebook said: “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”
Facebook said it will send a message to the 30 million users affected in the coming days and will be posting information to its help center.
Facebook is regulated by Irish authorities in Europe as its European headquarters is located there. A spokesperson for the Irish data regulator said of Friday’s announcement, “The update from Facebook today is significant now that Facebook has confirmed that the personal data of millions of users was taken by the perpetrators of the attack.”
The attack prompted Facebook to take the unprecedented step of logging out the 50 million users whose accounts were exposed and logged out another 40 million users as a precautionary measure.
The attackers exploited a series of bugs on Facebook’s platform. The vulnerability, Facebook said, had existed since July 2017. It wasn’t patched until last month, after the company’s engineers noticed some unusual activity that turned out to be the attack.
Despite Friday’s announcement, there are still many details about the hack that have not been made public, including who was behind it and if the attackers were targeting particular users or countries.
© Copyright 2018 CNN. All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed.