Hackers accessed the personal information of approximately 29 million Facebook users in its September breach, the company disclosed Friday. Of the 50 million accounts affected by the vulnerability, the tokens of 30 million accounts were stolen, according to a company post Friday. One million of these accounts did not have any information accessed.
But half of these accounts, 15 million, had name and contact information, including email, phone number or both, accessible to hackers. The remaining 14 million accounts had the same information accessed in addition to personal identifying information such as gender, relationship status, religion, birthdate, education, work, location, recent searchers and linked websites.
Facebook users can check if their account was affected in the company's Help Center. The social network will send customized messages to the 30 million affected accounts in the coming days to explain what happened and provide steps to take for protection.
Facebook announced that 50 million accounts were breached in late September, but at the time was unaware if users' information was accessed.
In the post, Facebook noted it is cooperating with the FBI, which has asked the social media company "not to discuss who may be behind this attack." Some experts have ventured that a nation-state actor could be behind the attack, especially in light of political interference on the platform.
The disclosure that tens of millions of users' personal information was breached is a huge bump in the road for a company that has been grappling with user trust and privacy issues this year. Many U.S. and international lawmakers expressed concern following the initial disclosure, and reports that sensitive data was accessed will only stoke the fire.
Facebook was quick to disclose the initial security incident — a speediness that GDPR's 72-hour breach notification requirements may have played a role in.
The company came under fire for its security practices following the Cambridge Analytica scandal earlier this year. Facebook rolled out security improvements, including efforts to double its security team by year's end and created a data abuse bounty.