Now, Facebook has released an update on the breach investigation revealing the true number of users affected by the hack.
This 2013 photo shows a sign at Facebook headquarters in Menlo Park, Calif. Facebook says hackers accessed data from 29 million accounts as part of the security breach disclosed two weeks ago.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
Facebook says third-party apps and Facebook apps like WhatsApp and Instagram are unaffected.
Those flaws were compounded by a bug in Facebook's video-uploading program for birthday celebrations, a software feature that was introduced in July 2017.
In the days since, Facebook has scrambled to figure out how things went wrong, who could be responsible for the attack and what the attackers planned to do with the information.
27 people hurt as weakened hurricane Leslie slams into Portugal
More than 300,000 homes lost electricity as the storm passed, said Belo Costa, commander at the Civil Protection Agency. Throughout the weekend, Leslie's ocean swells were also expected to wrack Madeira, the Azores and the Canary Islands.
Facebook says it is trying to determine whether the attackers took actions beyond stealing data, such as posting from accounts. Namely, 20 million fewer accounts had their tokens stolen than what Facebook originally projected.
The company said it has fixed the bugs and logged out affected users to reset those digital keys. For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. "Usually when you're looking at a sophisticated government operation, then a couple of thousand people hacked is a lot, but they usually know who they're going after".
In a press call, Guy Rosen, Facebook's VP of Product Management, said the attackers "moved from account to account using an automated script collecting tokens, repeatedly exploiting the vulnerability using access tokens for about 400,000 people".
Typically, companies affected by large data breaches - such as Target, in 2013 - provide access to credit protection agencies and other methods to lower the risk of identity theft.
And for 1 million affected users, the hackers did not access any information. Here is a look at how to find out if your Facebook data was included in the security breach.
Despite this, European Union privacy watchdog Data Protection Commission Ireland (DPC Ireland) announced it was investigating the data breach for possible violations of Europe's new General Data Protection Regulation (GDPR). All the company is saying is that they are taking it seriously and working with the Federal Bureau of Investigation and other agencies to investigate. "This allowed them to steal Facebook access tokens, which they could then use to take over people's accounts", it added.
Facebook has also established a Web page at facebook.com/help/securitynotice?ref=sec that will inform its 2 billion users who are logged in whether their accounts were affected. The company does note that it is not ruling out "small-scale attacks", either, and is investigating.