Guy Rosen, VP of Product Management says in a post on Facebook's newsroom that only 30 million out of the estimated 50 million had their personally identifiable information and access tokens stolen in last month's security breach.
Furthermore, "We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack," said Rosen.
Rosen did not provide any other details regarding FBI's reasons besides the ongoing investigation, but the most probable motive would be to avoid giving the threat actors behind the security attack a heads-up.
On September 28, in a security update press release, Rosen announced that around 50 million user accounts could be affected by a security bug in the "View As" feature introduced with a video uploading code change in July 2017.
As Rosen's report said, the actors were able to steal Facebook access tokens by exploiting a complex interaction of three distinct software bugs allowing them to use the "View As" profile feature.
The stolen access tokens can be used by the threat actors behind the attack to take over the affected Facebook user accounts, effectively allowing the attackers to use the Facebook app without having to re-enter the passwords each time, as well as any other third-party app which users the Facebook Login feature.
Facebook's September data breach was limited to only 30 million accounts of the estimated 50 million
As an immediate mitigation measure after finding out about the security breach, Facebook decided to reset the access tokens of an estimated number of 50 million users to protect their profiles' security and of some 40 million other accounts which had used the "View As" feature during the last year.
"We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen," said Rosen.
Moreover, "For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles."
Rosen also said that users could check if their account has been affected by the breach by going to Facebook's Help Center and that all 30 million people who were involved in the incident will receive customized notifications with details about the data the attackers stole.