Facebook Hack Compromised 30 Million People, Exposing Phone Numbers, Emails
Facebook’s recent hack affected 30 million people, fewer than the company originally believed, but compromised sensitive information like people’s phone numbers and email addresses.
In a call with reporters on Friday, Facebook vice president of product management Guy Rosen detailed the type of personal information attackers may have obtained in what was likely the biggest data breach in the social networking giant’s history. When Facebook first detailed the hack in late September, executives believed that about 50 million people were compromised, but after a few more weeks of investigating, the company trimmed the number by 30 million.
Hackers could have taken information like names and contact details like phone numbers and email addresses from 15 million Facebook users, Rosen said.
For another 14 million people affected by the hack, Facebook believes that attackers obtained that same information—as well as additional details like gender, relationship status, religion, birthdates, the last 10 places they checked into, their 15 most recent searches, and the type of device they use to access Facebook. Hackers could have obtained this information if people had the data listed on their Facebook profiles, said the company.
Facebook does not believe that hackers obtained any information from the other one million people compromised by the attack, which started on Sept. 14 and which Facebook said it was able to stop on Sept. 27.
Rosen said that other Facebook services like Instagram, Oculus, WhatsApp, or Workplace were not impacted via the attack, nor were third-party apps that allow people use their Facebook accounts to log in. In response to hack, the company built coding tools for third-party developers that can help them identify whether their users may have been impacted by the attack, Rosen said.
Although Facebook notified the Federal Bureau of Investigation of the attack, the bureau “asked us not to share any additional details that can compromise their investigation,” Rosen said.
Rosen would not say which specific countries were impacted by the hack or which entities Facebook suspects were behind it. However, Rosen said that it’s unlikely that the attackers were politically motivated.
“We have no reason to believe that this specific attack was related to the midterms,” Rosen said of the upcoming U.S. elections.
On Thursday, Facebook said it removed 559 pages and 251 accounts that it believed were intentionally misleading and spamming people with “sensational political content.” The purge was part of the company’s ongoing efforts to safeguard its service from facilitating the spread of misinformation in prelude to the midterm elections, similar to how Russian entities shared propaganda on the social network prior to the 2016 U.S. presidential election.
Get Data Sheet, Fortune’s technology newsletter.
Rosen also said Facebook is cooperating with other authorities including the Irish Data Protection Commission on the hack. The commission, which is the European Union’s lead regulator for privacy matters, said in early October it would investigate the data breach to determine if Facebook violated the EU’s General Data Protection Regulation, or GDPR, privacy laws.
Investigation commenced into Facebook data breach. @DPCIreland statement beneath. #dataprotection #GDPR #eudatap pic.twitter.com/7eHKUigTq5
— Data Protection Commission Ireland (@DPCIreland) October 3, 2018
To determine if a user’s Facebook account was compromised by the hack, Facebook debuted a support page that tells people whether they were impacted and what kind of data may be leaked.
“We are sorry this happened,” Rosen said. “We are fully committed to this work and we’ll do all we can to earn people’s trust.”