clock menu more-arrow no yes mobile

Filed under:

Facebook’s massive security hack was smaller than reported, but 29 million people still had their personal info stolen

The FBI is investigating.

Facebook CEO Mark Zuckerberg
Facebook CEO Mark Zuckerberg
Chip Somodevilla / Getty

Facebook says the security breach it announced late last month impacted fewer people than initially expected, though hackers still collected personal data from 29 million users.

Facebook reported Friday that 30 million accounts were compromised in the September breach in which a software “vulnerability” gave hackers access to a digital “token” that enabled them to log in to millions of user accounts. Originally, Facebook had estimated 50 million accounts might have been compromised. They’ve revised that number to 30 million.

That’s the “good” news. The bad news is these hackers did indeed collect personal user data from 29 million of those 30 million accounts, Facebook says. That includes the name and contact info — phone numbers and emails — for all 29 million people. The hackers also collected a lot of other information on 14 million of those 29 million users, including but not limited to “gender, locale/language, relationship status, religion [and] hometown,” Facebook wrote.

Facebook previously said that it didn’t know if any personal user information had been accessed, only that it was possible.

The FBI is investigating the attack and Facebook says it is cooperating. The company still has not said who was behind the hack.

Facebook, of course, has dealt with a lot of security and privacy issues so far in 2018, including its Cambridge Analytica scandal in which millions of users’ personal data was collected and sold to an outside political research firm. There is general concern that Facebook data like this might be used to help political candidates with ad targeting or messaging ahead of the U.S. midterm elections, which are early next month.

Facebook is hosting a conference call with reporters at 10 am PT to discuss the situation. We’ll update this story as we learn more.

Update: Facebook’s press call didn’t include a lot of new information, other than the fact that Facebook won’t be sharing a lot of new information.

Facebook product executive Guy Rosen took questions for about 25 minutes but declined to share any more details.

“[The FBI] asked us not to discuss who may be behind this attack or what their intentions could be,” Rosen said. He added, “We have no reason to believe this specific attack was related to the midterms.”

He also declined to share details about which countries might have been impacted by the attack, saying just that the attack was “fairly broad.”

This article originally appeared on