Facebook has revealed that millions of email addresses, phone numbers and other personal user information were compromised during a recent security breach.
The social media giant, which has more than two billion users worldwide, announced last month that engineers had discovered a “security issue” which affected 50 million accounts.
On Friday, the company’s vice president of product management Guy Rosen said “fewer people were impacted than we originally thought”, with access tokens stolen from around 30 million accounts.
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
Shedding new light on the hack, Mr Rosen said the attackers used an “automated technique” to move from account to account stealing tokens of friends-of-friends, “totalling about 400,000 people”.
This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued.
He wrote: “For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles).
“For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
“This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
“For 1 million people, the attackers did not access any information.”
Mr Rosen said a combination of three bugs in the View As feature, which lets users see what their profile looks like from the perspective of other accounts, made access tokens freely available to copy from the source code of the web page.
It was this vulnerability which allowed “an external actor” to obtain access tokens, giving them the ability to log into, and take over, users’ Facebook accounts and any of their other services, such as Spotify, Instagram or Tinder, which accept Facebook access tokens.
Messages between accounts were not compromised by the hackers, Mr Rosen said on Friday, except if the person was a page admin whose page had received a message.
Facebook staff first noticed an “unusual spike of activity” that began on September 14.
On September 25, the trend was identified as an attack, prompting programmers to close the vulnerability, which happened within two days, the tech chief said.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” his blog continued.
Facebook users can check if they are affected by visiting the website’s help centre.