Other 15 million users had their names and contact information breached, and 1 million users exclusively had their access tokens stolen; Facebook has reset the access tokens for all of those users. For 1 million people, the attackers did not access any information.
The company believes its initial estimate of 50 million compromised login tokens - it reset 90 million in total as a cautionary measure - was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million.
Facebook's latest vulnerability has existed since July 2017, but the company first identified it in mid-September after spotting a fairly large increase in the use of its "view as" feature.
Still, for users already uneasy about the privacy and security of their Facebook accounts after a year of tumult, the details that hackers did gain access to - gender, relationship status, hometown and other info - might be even more unsettling. "This allowed them to steal Facebook access tokens, which they could then use to take over people's accounts", it added.
Last month, the California-based social media giant had reported that 50 Mn Facebook users' accounts were affected. As it turns out, the data of almost 30 million users has been stolen in the breach, a Facebook investigation has now confirmed.
Facebook said it will send a message to the 30 million users affected in the coming days and will be posting information to its help center.
"We have not ruled out the possibility of smaller-scale attacks, which we're continuing to investigate", Facebook's head of product management, Guy Rosen, wrote in a blog post. Post that, Facebook followed the proper procedure and notified the Federal Bureau of Investigation about the attack and is working with other law enforcement agencies to find out the people behind the attack.
Conservatives may have to depose prime minister to 'heal wounds' - DUP MP
She needs to keep either her own party onside or attract votes from the main opposition Labour Party. Up to 80 Tories are also reportedly considering voting it down.
Facebook indicated that hackers stole access tokens through its "view as" feature.
This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued. That expanded to "friends of friends", extending their access to about 400,000 accounts, and went on from there to reach 30 million accounts.
Security experts have said Facebook's initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union's General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise. The attack began on September 14, but Facebook only realized it was a threat by September 25. Facebook Messenger was also unaffected.
It says third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach. Message content was not available to the attackers, with one exception.
Facebook has also advised affected users to not entertain calls from numbers they don't recognise.
Facebook said it took a precautionary step of resetting "access tokens" for another 40 million accounts which had accessed the "view as" function. Namely, 20 million fewer accounts had their tokens stolen than what Facebook originally projected.