Social media network Facebook announced on Friday that cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next.
Earlier, the US-based social media company had said its largest-ever data theft hit 50 million profiles, Reuters reported. Facebook cut the number of affected users from its original estimate after investigators reviewed activity on accounts that may have been affected.
The company would message affected users over the coming days to tell them what type of information had been accessed in the attack.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
The breach was restricted to name and contact details for the other 15 million users. Attackers could see the posts and lists of friends and groups of about 400,000 users.
Facebook Vice President Guy Rosen told reporters that the U.S. Federal Bureau of Investigation has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in the use of its “view as” feature.
That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook’s software enabled someone accessing “view as” to post and browse from the Facebook account of the other user.
Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.
Security experts have said Facebook’s initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union’s General Data Protection Regulation, which mandates notification within 72 hours of learning of a compromise.
Facebook’s lead EU data regulator, the Irish data protection commissioner, last week opened an investigation into the breach. Authorities in other jurisdictions including the U.S. states of Connecticut and New York are also looking into the attack.
Regulators around the world have ongoing inquiries into another matter that came to light in March: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.
Japan’s Personal Information Protection Commission (JPPC) has launched an investigation into the social media company, the Nikkei newspaper reported on Friday. Facebook has about 28 million people active in a month in Japan.