Facebook has admitted that hackers accessed the data of 29 million users on the social network by using people’s friends lists to steal access tokens.
The social network addressed the September attack on Friday, saying in a statement that it is cooperating with the FBI, which is “actively investigating.” Facebook added that the bureau has asked it not to discuss who may be behind the attack.
It explained that 50 million people’s access tokens are believed to have been affected, and that 30 million of those actually had their tokens stolen.
“First, the attackers already controlled a set of accounts, which were connected to Facebook friends. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totaling about 400,000 people,” Facebook wrote.