Facebook says 29 million users’ personal information was stolen in recent hack

Facebook CEO Mark Zuckerberg speaks at a conference in May.
(Marcio Jose Sanchez / Associated Press)

The hackers who exploited a Facebook vulnerability last month accessed the personal information of nearly 30 million users, the social media giant revealed Friday.

On about 29 million of the affected accounts, hackers accessed contact information, such as phone numbers and email addresses, Facebook Inc. said, and a slew of other personal details were exposed on about half of those accounts.

But the breach was not as big as Facebook initially thought. Two weeks ago, when it notified the public of the attack, the Menlo Park, Calif., company said nearly 50 million accounts had been affected before it could find and patch the vulnerability.


The company also said Friday that it saw no evidence that the hackers used Facebook logins to access affected users’ accounts on third-party sites or apps.

On 14 million of the affected accounts, the hackers accessed details including but not limited to user name, gender, language, relationship status, religion, birthday and device used to log on to the social network, Facebook said Friday.

Then there were about 400,000 users who were even more deeply affected. Using a bug in the “View As” feature — which enables a user to view his or her own profile the way someone else sees it — the hackers could see those 400,000 users’ entire profiles, Facebook said.

It said the hackers had access to those users’ friend lists, posts on their timelines, groups each user had joined and the titles of recent conversations the users had held on Facebook Messenger. The content of those messages were not visible, except in limited cases for users who were page administrators, the company said.

The FBI is working to determine who the hackers are and what they intend to do with the information they stole, Facebook said.

The company said it was cooperating with the FBI investigation and could not discuss the hackers’ identities or intentions. Facebook’s vice president of product management, Guy Rosen, said the company had “no reason to believe that this specific attack was related to the midterms” because the hackers targeted a broad base of users. The company declined to provide any further evidence.


“We are constantly working and have a lot of teams focused on activities ahead of the midterm elections,” Rosen told reporters Friday.

Experts warn that the breach may open users up to phishing and other scams off the Facebook platform.

“When you do phishing, you can do it by email, by phone calls, or you can do it by texting,” said Rebecca Herold, the founder and president of privacy and security management consulting firm Simbus360. “By having access to a lot of additional information about a person such as knowing who they communicate with, it would be very easy to spoof that person’s friend and ask for information.”

Herold also said scammers may be able to use the personal information accessed, such as a person’s alma mater or maiden name, to guess that person’s passwords or the answers to their security questions when attempting to log into their other online accounts.

She said scammers could also combine the kind of personal information gleaned from Facebook with information that’s publicly available and use the trove of details to pull other kinds of cons.

Facebook said it will send customized messages to the 30 million affected users to explain what information the hackers accessed. In the meantime, users can check whether they were affected by visiting Facebook’s help center.


Twitter: @jmbooyah


4:15 p.m.: This article was updated throughout with Times staff reporting.

This article was originally published at 11:20 a.m.