Facebook on Friday revealed that hackers had stolen extensive information from 14 million users in the hack it announced last month.
The company said an estimated 30 million people were affected by the hack, downgrading its initial estimate that information on 50 million users had been compromised.
But while the pool of users affected by the breach has shrunk, Facebook revealed that the hackers still managed to access an alarming amount of personal information for millions of users.
The company said that of those 30 million, hackers accessed information on 14 million that included the most recent places they had checked in, their 15 most recent searches, the devices they used to access Facebook, birthdate, relationship status, religion and other information listed on their profiles.
Another 15 million had their names and contact information exposed, Facebook said, adding that hackers didn't access any information for the remaining 1 million people in the 30 million affected. Facebook said that no credit card information was stolen in the hack.
The hack is likely the largest and most extensive that the company has ever suffered, and it comes as Facebook is still recovering from the Cambridge Analytica scandal in which a right-wing political consulting group improperly obtained data on millions of users.
When Facebook first announced the hack in late September, it had little sense of who had been affected or what the hackers had gone after. Friday's announcement revealed some of the first details about what information was swept up in breach, though the company is staying mum about who might have been behind it.
The attack exploited a vulnerability that Facebook had inadvertently introduced into their software in July 2017 affecting the "View As" feature that allows users to determine what their profiles look like to a third party.
The vulnerability allowed hackers to steal access tokens — essentially giving them the ability to unlock user accounts — for the 30 million users.
"That vulnerability was the result of a complex interaction of three bugs in our software," Guy Rosen, Facebook's vice president of product management, said on a call with reporters Friday.
Rosen declined to answer questions about who the attackers might have been or what they were after, saying that Facebook was cooperating with the FBI on a criminal investigation into the incident and that the agency had asked them not to share any details that could compromise the probe.
Facebook's admission comes as Congress and regulators are taking a closer look at how internet companies collect and handle user data. Lawmakers are preparing to craft a sweeping data privacy bill that could address how companies respond to massive data breaches.
Users can visit Facebook's Help Center to find out if they were affected by the hack and what information may have been stolen.