Facebook said hackers accessed data from 29 million accounts as part of a security breach disclosed two weeks ago. That’s fewer than the 50 million it initially believed were affected.
The hackers accessed names, email addresses or phone numbers from the 29 million accounts, according to Facebook. Hackers got even more data from 14 million of them, such as hometown, birth date, the last 10 places they checked into, or the 15 most recent searches.
An additional 1 million accounts were affected, but hackers didn’t get any information from them.
The company said users’ credit card information was not exposed.
Facebook isn’t giving a breakdown of where the users are located, but said the breach was “fairly broad.” It said third-party apps and Facebook apps like WhatsApp, Instagram and Messenger were unaffected by the breach.
The FBI is investigating the attack but asked the company not to discuss who may have been behind it, Facebook said. The company said it hasn’t ruled out the possibility of smaller-scale attacks that used the same vulnerability.
The social media giant has said the attackers gained the ability to “seize control” of those user accounts by stealing digital keys the company uses to keep users logged in. They could do so by exploiting three distinct bugs in Facebook’s code. The company said it has fixed the bugs and logged out affected users to reset those digital keys.
At the time, CEO Mark Zuckerberg — whose own account was compromised — said attackers would have had the ability to view private messages or post on someone’s account, but there’s no sign that they did.
Users can check to see if they were affected by the hack by visiting Facebook’s help center. At the bottom of the page, users can get answers under the section: “Is my Facebook account impacted by this security issue?”
Facebook said it plans to send messages to users whose accounts were hacked. It also plans to share steps they can take to protect themselves from suspicious emails, text messages and phone calls.