When Facebook announced at the end of September that it had suffered a data breach that ultimately affected 30 million accounts, it seemed, perhaps, like the work of sophisticated nation state hackers. But a new report from The Wall Street Journal suggests spammers as the culprit instead. That shouldn't make you feel that much better, though, given just how much damage criminals can do with the kind of information stolen from Facebook.

It was, after all, a lot. The sophisticated daisy chain attack that the hackers pulled off garnered the names, phone numbers, and email of 15 million Facebook users. Fourteen million more had their username, date of birth, gender, devices they used Facebook on, and language settings compromised at the very least. Hackers could also have gleaned relationship status, religion, hometown, current city, work, and education info, depending on how fully victims had filled out their profile, along with the 10 most recent locations they checked into or were tagged in, and their 15 most recent Facebook searches. (Here's how to find out if you were affected, and how badly.)

All of which becomes particularly dangerous in the hands of spammers.

"Having accurate, detailed data, and a large amount of data, makes spamming campaigns more profitable," says Jérôme Segura, lead malware intelligence analyst at the network defense firm Malwarebytes. "And this Facebook data is very unique. It has a lot of value, because it's from people supplying the information genuinely and saying 'I checked in at this hotel or here are some of my interests.' It's a priceless database trove for marketers."

For now, Facebook won't weigh in publicly on who was behind the attack. Guy Rosen, the social network's vice president of product management said repeatedly in a call with reporters last week that, “The FBI is actively investigating and have asked us not to discuss who may be behind this attack.” The company reiterated this to WIRED on Friday.

The possibility that scammers were behind the theft, though, highlights the ways in which centralized data repositories like email accounts and social media profiles are potential gold mines for—and frequent targets of—phishers, spammers, and shady marketers.

"It's a priceless database trove for marketers." Jérôme Segura, Malwarebytes

Granular data helps spammers craft maximally convincing emails, SMS messages, and calls. The data not only helps improve the general verisimilitude of broad spam campaigns, but also makes it easier to specifically tailor scams to individuals. For example, in one popular scam, an email threatens to release compromising photos of you, and uses information like your old passwords and your phone number to make it seem like the attacker really does have dirt. The more credible they seem, the more likely you are to pay them off. If you were compromised in the Facebook hack, they now also potentially know where you live, where you've worked, and where you've been.

Attackers can use that sort of detailed information in all sorts of other ways, as well. Segura points out that a trove like the one stolen from Facebook would be valuable for launching massive malvertising campaigns that try to entice web users to click on malicious ads, since it contains so many indicators of a person's background and preferences. And having such granular data about people would enrich all sorts of phishing attacks and so-called "business email compromise" scams, in which attackers try to gain access to email accounts within a business to gain credibility, and then influence malicious activity like payments to the attacker. You're a lot more likely to think an email is really from your boss if she's referencing your upcoming birthday, and the work trip you went on to Cleveland in the fall. Phishers and BEC scammers could also use details from the breach to send convincing messages externally, posing as a company's client, for example, or a disgruntled customer.