In a news release with the bizarrely vague title of "An Update on the Security Issue", Facebook has revealed that the "View As" security breach it opened up about recently gave hackers access to the personal details of 15 million users.

Having previously advised that the access tokens stolen by hackers had not been used to infiltrate other apps and services, the social networking giant now says 15 million people have had their names and contact details exposed. 14 million users had significantly more details revealed, including username, relationship status, religion, hometown, birthdate, places they have checked into, and recent searches.

See also:

The new details have been revealed by Guy Rosen, vice president of product management at Facebook, who starts off by trying to downplay the significance of the attack. He says: "Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen".

But for a large proportion of those that were affected by the attack, the implications could be great.

Rosen discloses just want hackers were able to access:

For 15 million people, attackers accessed two sets of information -- name and contact details (phone number, email, or both, depending on what people had on their profiles). For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches. For 1 million people, the attackers did not access any information.

The data that has been accessed is not only highly revealing private information, but is precisely the sort of data that could be used for identity theft and social engineering.

Facebook says that it is still working with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities to determine who was responsible for the attack.

Image credit: jakkapant turasen / Shutterstock