Facebook didn't respond to a request for comment, and Rosen declined to provide specific details on the attackers because the FBI is investigating the breach.
The FBI is investigating the hacking an has asked the company not to reveal who was behind it. Facebook originally disclosed the hack to the public two weeks ago saying 50 million accounts were compromised.
Initially, Facebook said as many as 50 million people had been affected, though it decreased that number in Friday's update. The good news is fewer users were attacked than the original estimate but the bad news is, hackers were able to steal data during the breach.
Between July 2017 and September 2018, attackers accessed Facebook and created a security vulnerability that allowed them to retrieve access tokens to take over people's accounts. Before we get too deep into the weeds of how Facebook says the attack happened and what it's doing about it now, here's how to tell if you're one of the 30 million or so people affected.
For 14 million victims, the attackers accessed a trove of user highly sensitive data, including gender, relationship status, religion, hometown, current city, birth date, devices used to log in, education, locations checked into, pages followed, recent searches, name, and contact details.
US, rights groups say United Nations rights council vote awards abusers
The 47-member Human Rights Council, or UNHRC, can spotlight abuses and has special monitors watching certain countries and issues. India had previously been elected to the Geneva-based Human Rights Council for the 2011-2014 and 2014-2017 term.
Facebook isn't giving a breakdown of where these users are, but says the breach was "fairly broad". Three software bugs in Facebook's code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people's accounts. Up to 90 million people were logged out of their accounts and had those tokens reset as a result of the bug's discovery. The company said hackers were able to access personal information for almost half of those accounts.
Regardless of whether your account was affected, you might also want to consider deleting or deactivating your Facebook account, especially if you don't use it often. On September 25, we determined this was actually an attack and identified the vulnerability.
Below the notice about what information was hacked, Facebook apologizes for the security breach. It also could be used in so-called spear phishing attacks, in which hackers use the information they know about particular users to send them personalized messages that convince them to leak their passwords or other critical data.
It will also provide guidance on how to spot and deal with suspicious emails or texts. The attackers didn't take any information from about 1 million people whose accounts were vulnerable.
On Friday, the data gathering biz said a mere 30 million people were robbed of their authentication tokens. The more data a hacker has about someone, the more believable they can make the email lure.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.