MILLIONS of email addresses and phone numbers were compromised during a recent Facebook security breach, the company has admitted.
The social media giant, which has more than two billion users worldwide, announced last month that engineers had discovered a "security issue" which affected 50 million accounts.
On Friday, the company's vice president of product management Guy Rosen said "fewer people were impacted than we originally thought", with access tokens stolen from around 30 million accounts.
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
Shedding new light on the hack, Rosen said the attackers used an "automated technique" to move from account to account stealing tokens of friends-of-friends, "totalling about 400,000 people".
This pool of 400,000 users allowed them to steal access tokens from the full 30 million, he continued.
He wrote: "For 15 million people, attackers accessed two sets of information - name and contact details (phone number, email, or both, depending on what people had on their profiles).
"For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
"This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.
"For 1 million people, the attackers did not access any information."
Rosen said a combination of three bugs in the View As feature, which lets users see what their profile looks like from the perspective of other accounts, made access tokens freely available to copy from the source code of the web page.
It was this vulnerability which allowed "an external actor" to obtain access tokens, giving them the ability to log into, and take over, users' Facebook accounts and any of their other services, such as Spotify, Instagram or Tinder, which accept Facebook access tokens.
Messages between accounts were not compromised by the hackers, Rosen said, except if the person was a page admin whose page had received a message.
Facebook staff first noticed an "unusual spike of activity" that began on September 14.
On September 25, the trend was identified as an attack, prompting programmers to close the vulnerability, which happened within two days, the tech chief said.
"We're cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack," his blog continued.
Facebook users can check if they are affected by visiting the website's help centre.
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here