Facebook says hackers stole personal info on 29 million users

The social network also says the number of users affected by the breach isn't as high as it originally thought.

Queenie Wong Former Senior Writer
Queenie Wong was a senior writer for CNET News, focusing on social media companies including Facebook's parent company Meta, Twitter and TikTok. Before joining CNET, she worked for The Mercury News in San Jose and the Statesman Journal in Salem, Oregon. A native of Southern California, she took her first journalism class in middle school.
Expertise I've been writing about social media since 2015 but have previously covered politics, crime and education. I also have a degree in studio art. Credentials
  • 2022 Eddie award for consumer analysis
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Queenie Wong
Laura Hautala
3 min read
Facebook  logo is seen trough a magnifying glass on a

Facebook has revealed more details about a huge security breach at the social network.

Getty Images

A massive Facebook security breach affected fewer people than the company originally thought, but still millions of users had their phone numbers, emails and other information compromised, the tech giant said on Friday.

In September, the world's largest social network said it believed the breach impacted 50 million people. Attackers had stolen Facebook "access tokens" -- digital keys that let them access people's accounts without needing a password. On Friday, the company said hackers stole personal information from 29 million people.

"We are sorry this happened. We know we will always face threats from people who want to access accounts and steal information," Facebook VP of Product Management Guy Rosen said during a conference call. 

Hackers accessed names and contact details, such as emails and phone numbers, from 15 million people, Facebook said Friday. They also stole the same information from 14 million people, but the attackers gained access to other personal details such as a user's birth date, hometown and workplace along with their most recent searches or places they checked into on the social network.

A total of 30 million people had their access tokens stolen, but 1 million people didn't have any information compromised, Facebook added. The attackers also used a technique that let them steal access tokens from the friends of the accounts they already controlled, expanding their reach, Rosen said. 

Avivah Litan, a Gartner analyst who covers security and privacy, said some of the data stolen, like emails and phone numbers, could be useful for financial theft. But she wonders about the motive behind stealing more detailed personal information such as recent searches, religion or relationship statuses.

"The only ones interested in that information are either advertisers and nation states or other political operatives that are trying to manipulate populations," she said. "Cybercriminals who are interested in stealing money don't have to go into all that detail."

Facebook said it's working with the FBI, which asked it not to discuss who might be behind the attack or whether they were targeting anyone in particular. So far, Facebook hasn't found any evidence that the hackers were able to access third-party apps like Tinder and Spotify that use a Facebook login. Rosen also noted that Facebook has no reason to believe that the breach was related to the upcoming US midterm elections.

In the wake of the data breach and a privacy scandal involving Cambridge Analytica, Facebook has been trying to rebuild trust with its 2 billion monthly active users. But the company's latest revelation about the breach highlights the risks that come with sharing personal information on a social network. 

Outside of privacy and security concerns, Litan said consumers should be wary about sharing so much personal information with a social network.

"It's a very shortsighted thing to do unless you think you're above all the algorithms and manipulation," she said. "The problem is it's too late. People are hooked." 

Facebook said users can check if they were affected by visiting the social network's Help Center. Accounts of the impacted users have been secured and they don't need to log out again or change their password. Facebook will also be sending a message to the 30 million people affected that includes advice on how they can protect themselves from suspicious e-mails and texts. The company is also working on contacting users who may no longer be on the social network.

As Facebook and law enforcement dig deeper into who was behind the attack, questions about how well the company handled the breach still linger.

"We are working very closely with regulators around the world to provide information that they need and to answer their questions," Rosen said.

First published Oct. 12, 10:23 a.m. PT
Update, 12 p.m.: Adds more background and information from conference call. 
Update, 4 p.m.: Adds comment from analyst. 

Infowars and Silicon Valley: Everything you need to know about the tech industry's free speech debate.

Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.