Cyber attackers stole data from 29 million Facebook accounts using an automated program that moved from one friend to the next, the social media giant has revealed.

Key points: Facebook says the users hacked are from a "fairly broad" number of countries

Facebook says the users hacked are from a "fairly broad" number of countries The cyber attack started small and spread through "friends of friends"

The cyber attack started small and spread through "friends of friends" Facebook has a website to check if your account was breached

But the company said that was less than the 50 million profiles it initially reported after investigators reviewed activity on accounts that may have been affected.

Facebook said it would message affected users over the coming days to tell them what type of information had been accessed in the attack.

But what did the hackers take? Here's how the data breach affected users and how to tell if you were hacked.

Who has been hacked?

We don't know yet. Facebook isn't giving a breakdown of where these users are, but said the breach was "fairly broad".

Facebook said third-party apps that use a Facebook login and Facebook apps like WhatsApp and Instagram were unaffected by the breach.

The social media company said the FBI is investigating.

Facebook vice president Guy Rosen told reporters that the FBI asked the company to limit descriptions of the attackers due to an ongoing inquiry.

Although Mr Rosen did reveal that while the attackers' intent has not been determined, they did not appear to be motivated by the upcoming US mid-term Congressional election on November 6.

Mark Zuckerberg was called in to testify in a congressional hearing over Facebook's privacy policies this year. ( AP: Pablo Martinez Monsivais )

How to check if you were hacked

The company has a website its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen.

It will also provide guidance on how to spot and deal with suspicious emails or texts.

What did the hackers have access to?

In a post on its blog, Facebook said the attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.

For the other 15 million users, it was restricted to name and contact details.

An additional 1 million accounts were affected, but hackers didn't get any information from them.

Facebook chief executive Mark Zuckerberg's own account was compromised in the data breach. ( Reuters: Charles Platiau/Pool )

Chief executive Mark Zuckerberg — whose own account was compromised — said attackers would have had the ability to view private messages or post on someone's account, but there's no sign that they did.

Hackers stole neither personal messages nor financial data and did not use their access to users' accounts on other websites, the company said.

The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in use of its "view as" feature.

That feature allows users to check privacy settings by glimpsing what their profile looks like to others. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.

The breach has also left users more vulnerable to targeted phishing attacks.

Cybersecurity experts and financial analysts said the attack could deepen users' unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals.

How were so many accounts affected?

The hackers began with a set of accounts they controlled, then used an automated process to access the digital keys for accounts that were "friends" with the accounts they had already compromised.

That expanded to "friends of friends," extending their access to about 400,000 accounts. It went on from there to reach 30 million accounts.

The company said it has fixed the bugs and logged out affected users to reset those digital keys.

The attackers used the "view as" flaw to breach the accounts of their friends, then used a tool they developed to expand to friends of friends and beyond.

Facebook patched the issue last month and asked 90 million users to log back into their accounts, many just as a precaution.

Why are we finding out about this now?

Security experts have said Facebook's initial breach disclosure arrived earlier than it likely would have prior to the enactment in May of the European Union's General Data Protection Regulation.

That law mandates notification within 72 hours of learning of a compromise.

Facebook's lead EU data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach.

Authorities in other jurisdictions including the US states of Connecticut and New York are also looking into the attack.

Regulators around the world have launched inquiries into another matter: How profile details from 87 million Facebook users were improperly accessed by political data firm Cambridge Analytica.

What's being done about the potential identity breaches?

Facebook says affected users would be directed to the website's help section.

But Patrick Moorhead, founder of Moor Insights and Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.

"Those personal details could very easily be used for identity theft to sign up for credit cards, get a loan, get your banking password," he said.

"Facebook should provide all those customers free credit monitoring to make sure the damage is minimised."

But a Facebook spokeswoman told the BBC it would not be taking the step "at this time".

ABC/AP/Reuters