Spammers, not a nation state, behind Facebook data breach, report says

Jessica Guynn | USA TODAY

Show Caption Hide Caption 30 million Facebook users had their accounts hacked See what was stolen from all those Facebook accounts.

SAN FRANCISCO — Facebook believes spammers, not a nation state, were behind the data breach of 30 million accounts, according to a published report.

The spammers aimed to make money through deceptive advertising and masqueraded as a digital marketing company, people familiar with the company’s internal investigation told the Wall Street Journal.

Facebook has declined to say who was behind the hack, which was the worst security breach in its history.

Reached for comment by USA TODAY on Wednesday night, Facebook pointed to last week's statement from Guy Rosen, vice president of product management. "We are cooperating with the FBI on this matter," the statement says. "The FBI is actively investigating and have asked us not to discuss who might be behind the attack."

Facebook believes the attackers are a group of Facebook and Instagram spammers, known to Facebook security, who pass themselves off as a digital marketing company, the Journal reported.

Twenty million fewer accounts were breached than originally thought – 30 million instead of 50 million – but attackers made off with sensitive personal information from nearly half of those users that could put them at serious risk, including phone number and email address, recent searches on Facebook, location history and the types of devices people used to access the service, the company told users last week.

Related: Facebook breach puts your identity at risk. Here's what you can do to protect yourself

More: Midterms: 'Furious' Democrats purchase blitz of Facebook ads on Kavanaugh, far outpacing GOP spending

For about half of those whose accounts broken into – some 14 million people – the hackers looted extensive personal information such as the last 10 places that Facebook user checked into, their current city and their 15 most recent searches. For the other 15 million, hackers accessed name and contact details, according to Facebook. Attackers didn’t take any information from about 1 million people whose accounts were affected. Facebook says hackers did not gain access to financial information, such as credit-card numbers.

The extent of the personal information compromised by attackers delivered a blow to the public relations campaign Facebook has been waging to convince the more than 2 billion people who regularly use the service that it's serious about protecting their personal information.