Facebook revealed that a previously announced security breach on its platform had a wide impact for some users, and it confirmed that the hack compromised personal and contact information. The company said the FBI is actively investigating the hack and asked Facebook not to disclose any potential culprits.

The attack, detected in late September, exposed some users’ emails and phone numbers, as well as profile information including gender, location, birth date, and recent search history. In a blog post on Friday, Facebook did not apologize for exposing its users’ information but noted that it was cooperating with the FBI, the US Federal Trade Commission, the Irish Data Protection Commission, and other authorities on the issue.

The attack involved the capturing of Facebook “access tokens,” or digital keys that allow websites to recognize who someone is and keep them logged in. Using accounts they already controlled, the attackers used an “automated technique” to exploit Facebook’s “View As” functionality and steal access tokens for some 400,000 people. Hackers than used friend lists from a portion of those 400,000 affected accounts to obtain access tokens for another 30 million people. (Here's how to find out if you were hacked.)

“For 15 million people, attackers accessed two sets of information – name and contact details (phone number, email, or both, depending on what people had on their profiles),” the company said in its release. “For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles. This included username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.”

The company said for about a million people, attackers did not access any information.

An FBI spokesperson acknowledged that the agency had been in touch with Facebook, but declined comment.