The social media giant revealed the security breach two weeks ago and said it had “not ruled out the possibility of smaller-scale attacks”.
In a new update issued on Friday, Facebook said the “attackers” accessed names, email addresses or phone numbers from 29 million accounts.
For 14 million of those accounts, hackers got even more data, such as their home town, birth date, the last 10 places they checked into or 15 most recent searches.
Facebook said the attack “did not include Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, or advertising or developer accounts”.
The hack came after a feature called “View As”, which allows users to see what their profile looks like to someone else, became vulnerable.
That stemmed from a change the California-based company made to its video uploading feature in July 2017.
Guy Rosen, Facebook’s vice president of product management, said staff had been “working around the clock to investigate”.
He added: “We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack.”
The accounts were targeted after the hackers initially stole the access tokens of “about 400,000 people”, using an “automated technique to move from account to account”.
Access tokens work as digital keys, letting those who hold them log into Facebook accounts without entering a password.
“This technique automatically loaded those accounts’ Facebook profiles, mirroring what these 400,000 people would have seen when looking at their own profiles,” Facebook said.
“That includes posts on their timelines, their lists of friends, groups they are members of, and the names of recent Messenger conversations.”
Facebook said people could check whether they were affected by going to its help centre.
It also said it would be sending “customised messages to the 30 million people affected to explain what information the attackers might have accessed”.