Skip to main content

Hackers stole personal information such as phone numbers and e-mails from as many as 30 million Facebook users as part of the most significant security breach in the company’s history.

The social-media firm first disclosed the breach two weeks ago, at the time estimating that as many as 50 million accounts had been hacked by people who had exploited a complex series of bugs in the company’s software.

Facebook scaled its estimate of affected users down to 30 million in an update on Friday, but revealed that hackers had been able to access a wide array of personal details from millions of accounts.

Company officials said that they believe hackers used automated software to steal contact information from profiles of 29 million Facebook users and said that they would notify affected users about what information was stolen and how to protect themselves against suspicious e-mails, phone calls and text messages. Another one million users had their accounts accessed but no information was stolen.

For roughly half the users affected by the breach, 14 million accounts, hackers were also able to collect even more information, such as birth dates, relationship status, lists of friends, posts they had written, recent search history and geographic information from the past 10 locations that they had checked into or were tagged on Facebook.

The hackers could also read the names of private conversations on Facebook Messenger, but not the content of those messages, company officials said. However, hackers were able to read messages sent to users who were administrators of Facebook pages.

The security breach comes at a time when Facebook is already under fire over data-privacy lapses. On Thursday, the company said it had purged roughly 800 accounts and publishers that were sending out politically motivated spam about the coming U.S. midterm elections, sparking renewed controversy that Facebook is censoring political speech. U.S. federal investigators and the Securities and Exchange Commission are also investigating the social-media giant’s response to revelations that political consultancy Cambridge Analytica improperly collected information from millions of Facebook accounts earlier this year.

Company officials said that the hackers were not able to access information on third-party apps like Facebook-owned Instagram, or services that allowed their users to log in to their apps through Facebook. The company initially warned that third-party apps may have been affected by the attack.

The company said that it is co-operating with an FBI investigation into the security breach and that investigators had requested Facebook not to discuss who was behind the attack.

Company officials declined to say what countries the hackers had targeted, but described the security breach as a “broad” attack. Canadian users have reported having to unexpectedly log in again to their Facebook accounts after the security breach. The company said that it had reset the accounts of 90 million users as a precautionary measure.

“People’s privacy and security is incredibly important and we are sorry this happened,” said Guy Rosen, Facebook’s vice-president of product management. “We know we will always face threats from those who want to take over accounts or steal information.”

Irish data-protection authorities have opened an investigation into whether the security breach violated Facebook’s obligations under the General Data Protection Regulation, strict new European Union digital-privacy laws enacted earlier this year.

“Today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack,” Ireland’s Data Protection Commission said in a statement on Friday. European authorities can fine companies as much as four per cent of annual global revenues for serious privacy lapses.