Facebook said on Friday that hackers were able to access the personal information of 14 million people through a security flaw that the company first disclosed last month, and that the data exposed included information such as recent check-ins and searches.
Facebook said in a blog post that people would be able to check whether they were affected by the attack by visiting a Facebook help center online. The company also said that in the coming days it would send customized messages to users to explain what information might have been accessed.
The social networking company disclosed two weeks ago that a security flaw in Facebook's "view as" feature had allowed hackers to see into and potentially take over people's profiles.
Facebook, the world's largest social media network with more than 2 billion users, has faced rising criticism that it has failed to protect people's privacy. It disclosed this year that the personal information of up to 87 million people was taken by the maker of a quiz app and then wrongly handed over to political consultancy Cambridge Analytica.
Facebook did not say who might have been behind the latest attack or if certain groups of people were targeted, but it said it was working with authorities including the FBI to investigate.
The company's initial estimate was that the recent attack affected almost 50 million accounts, a number it revised down on Friday. In all, the hackers stole "access tokens," a sort of digital set of keys, of 30 million people, Facebook said in its latest update.
Of those 30 million people, 15 million people had their name and contact details, such as phone number and email address, exposed.
Facebook said that for a second group of 14 million people, the attackers accessed information including "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches."
The breach may have long-lasting effects if the information accessed is used for future hacking attempts, particularly for phishing attacks that use email to trick people into giving up sensitive information and passwords.
"Tens of millions of people impacted by the Facebook data breach are likely to find that they have now become intertwined in systematic phishing campaigns that will persistently target them and the organizations they work for for a long time," Oren Falkowitz, CEO of security firm Area 1 Security, said in an email.
Sen. Mark Warner, D-Va., called search and location history "particularly personal information" to have been accessed.
"With each new, high-profile privacy breach, it’s ever-clearer that Congress needs to establish some guardrails for social media platforms to protect consumer data while encouraging American innovation,” Warner, vice chairman of the Senate Intelligence Committee, said in a statement.
Payment information such as credit card numbers were not accessed, Facebook said.
A third group of 1 million people had their access tokens stolen but no other information accessed, Facebook said.
Guy Rosen, Facebook's vice president of product management, said on a conference call with reporters that the FBI was investigating the attack and had asked the company not to share certain information, such as possible suspects, that might compromise the investigation.
Facebook's own investigation is continuing and the company is working with other authorities, including those in Ireland where Facebook has its European headquarters, Rosen said.
Rosen declined to provide a country-by-country breakdown of where the affected users were located but said the attack was "fairly broad."
The people behind the attack started from their own accounts and began stealing access tokens from their friends, Rosen said. They then moved on to friends of friends, eventually reaching 400,000 accounts, using that list to steal access tokens for about 30 million people, he said.
There was no reason to believe the attack was related to the Nov. 6 midterm elections, he said.
Asked whether people on Facebook should continue to trust the service, Rosen responded that the company was committed to security.
"We take these incidents very, very seriously, and nothing is more important to us than the security of people’s information," he said.
Shares in Facebook traded down 0.2 percent on Friday, while the S&P 500 rose 0.7 percent.
Mark Nunnikhoven, vice president of cloud research at security firm Trend Micro, said that people whose accounts had been accessed should assume the worst and make sure their social media and email accounts have not been compromised. He also encouraged people to enable multi-factor authentication for their services, such as connecting a phone number that serves as a way to ensure accounts are not surreptitiously accessed.
He also noted that people should be aware that their connections on Facebook can leave them open to data harvesting.
"That person you vaguely remember from grade school? They probably don’t need access to your entire profile," Nunnikhoven said. "Time to tighten up those privacy settings."