LONDON - According to an *official statement by link* the hackers stole access tokens for 30 million accounts, which allowed them to gain complete access to the profiles. The hackers accessed basic contact information such as name, email address or phone number of over 30 million accounts.
Apart from this, hackers also accessed additional information such as gender, religion, location and device information from another 15 million accounts.
“We’re cooperating with the FBI, which is actively investigating and asked us not to discuss who may be behind this attack,” Facebook said on a blog post. It also added that the attack did not include Instagram, Facebook Messenger, WhatsApp, Oculus, WorkPlace, Pages, Payments and third-party apps/advertising.
Hackers took advantage of a "complex interaction" between three software bugs, which required a degree of sophistication. The vulnerability was created by a change to a video uploading feature in July of 2017.
It involved a flaw in a "See As" feature that showed Facebook what their profiles look like to other people at the social network. Using the feature generated digital keys, called "access tokens," which let users stay connected to their accounts without having to enter passwords anew.