Facebook says hackers accessed phone numbers, email addresses as part of latest breach

Facebook said hackers were able to access phone numbers, email addresses and search information as part of the company's most recent data breach. The breach affected about 30 million accounts, fewer than previously thought, the social network confirmed Friday.

In a blog post providing the update, Guy Rosen, Facebook's vice president of product management, wrote that the hackers used an automated technique to steal access tokens of about 400,000 people, ultimately getting the tokens of 29 million users.

"In the process, however, this technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles," Rosen wrote in the post. "That includes posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations."


He added that the content from Messenger "was not available to the attackers, with one exception," - if someone was a Page administrator of a Page that "had received a message from someone on Facebook."

Fifteen million of the 29 million affected had two sets of data stolen, Rosen wrote: "name and contact details (phone number, email, or both, depending on what people had on their profiles)."

The remaining 14 million had those data sets accessed, as well as other details on their profiles, including: "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches."

Facebook users who want to see if they are affected can click here.

The exact number hadn't been known before. Last month, when it first disclosed the breach, Facebook said 50 million accounts could have been affected, but the company didn't know if they had been misused. The Mark Zuckerberg-led company also said it was taking the precautionary measure of resetting access tokens for another 40 million accounts that were "subject to a 'View As' look-up in the last year," bringing the total to 90 million accounts who will now have to log back into the service.


For one million accounts affected by the recent breach, hackers didn't gain any information, according to Facebook. The social media service plans to send messages to people whose accounts were hacked.

Rosen added that the attack did not affect other Facebook-owned apps, such as Messenger, Instagram, WhatsApp and others. It also did not affect payments, advertising or third-party apps as had previously been reported by some outlets.

The Associated Press contributed to this report. Follow Chris Ciaccia on Twitter @Chris_Ciaccia