Facebook reports that for 15 million of the affected users, those behind the attack gained access to two types of information — their name and contact details such as phone numbers and email addresses. For 14 million users, attackers accessed much more information including name and contact info as well as other profile details like username, gender, location, language, relationship status, religion, hometown, current city, birthdate, education, work, places where they checked in or were tagged, website, people or Pages followed, recent searches and device types used to access Facebook.
For the final one million users whose access tokens were stolen, the attackers didn’t access any of their information.
Facebook notes that the breach didn’t affect its other products, like Messenger, Messenger Kids, Instagram, WhatsApp, Oculus or Workplace. The attack also didn’t include features such as Pages, payments and advertising or developer accounts or any third-party apps. Facebook will continue to investigate the matter and it says it’s looking into “the possibility of smaller-scale attacks,” though it didn’t elaborate on what those might entail.
It’s still working with the FBI, FTC and other authorities as it investigates the breach. It will also notify the 30 million people whose access tokens were stolen, providing them with more details about what information might have been accessed and what they can do to protect themselves from suspicious contact going forward.