After two weeks of investigation, Facebook announced additional details on Friday of how attackers carried out a massive breach of the social network that compromised accounts for tens of millions of users. The company downgraded its estimate of how many users had their access tokens stolen from an original estimate of at least 50 million to 30 million—and shed new light on exactly how an attack of this magnitude happened in the first place.

Facebook had previously said that hackers took advantage of three vulnerabilities in the "View As" feature—which lets users see what their profile looks like to other users—to grab access tokens that could then allow them to infiltrate user accounts. The flaws had been present in the platform since July 2017, but the company first detected a rise in suspicious activity on September 14 of this year. That eventually led it to discover the bugs, and the attack they enabled, on September 25.

“With these access tokens an attacker could get into people’s accounts,” Guy Rosen, Facebook's vice president of product management, told reporters in a call on Friday. “We’re looking at approaches that could address this class of problem and, ensuring that we can catch them faster and minimize their impact.”

The attackers would have been able to access all of a user's basic information.

Facebook says it is cooperating with the FBI, and can't reveal any findings about the identity of the hackers or their possible motivations, but the attack seems to have been well-coordinated, with the right infrastructure in place to quickly begin fanning out and exfiltrating data. The attackers used a group of established seed accounts that they controlled to exploit the vulnerabilities and steal access tokens from their accounts' friends, friends of friends, and so on.

By automating this process, the hackers ultimately took over 400,000 accounts, through which they loaded what were essentially mirrors of what users would see when they looked at their own profiles. This means the attackers would have been able to access all of a user's basic information like places lived and contact information, but also things like their friends, groups they were in, posts on their timelines, and names of people they had messaged with recently in Messenger.

"The 400,00 accounts are the ones where [the attackers'] script loaded the ‘View As’ view, so that actually loads the Facebook profile for that person, and as part of that, when that web page loads and renders in their script it would have included ... things like their posts on their timeline, list of friends or groups they’re members of," said Rosen.

Attackers couldn't see the contents of messages, unless the compromised user was a Facebook Page administrator, in which case incoming messages were visible. Facebook has concluded that the attack did not impact data in the company's related services including Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, and developer accounts. Full credit card numbers also would not have been visible to the attackers, and Facebook says it doesn't have evidence that the attackers accessed the last four digits of user credit cards.

From the first round of 400,000 compromised accounts, though, the attackers continued to compromise access tokens, ultimately spring-boarding to 30 million total. Within the broad 30 million there were three groups. For 15 million accounts, the attackers specifically accessed names and contact information phone numbers, email addresses, or both based on what a particular user listed. On 14 million accounts the attackers took all of that information, plus more granular profile data.

Rosen wrote on Friday that additional information that may have been stolen from this second group included "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches."