Facebook does not believe that hackers obtained any information from the other one million people compromised by the attack, which started on September 14 and which Facebook said it was able to stop on September 27.
The attackers had access to a limited number of accounts to begin with, and it's not clear if these were bogus to begin with, but they were connected to other "friends" on the site.
An additional 14 million users were affected more deeply, having additional details taken related to their profiles, such as their recent search history, gender, educational background, geolocation data, birth dates, and lists of people and pages they follow. The vulnerability, Facebook said, had existed since July 2017.
The Facebook exec also went into more details on how the attack unfolded.
Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. One million accounts were affected but hackers didn't gain information.
This was clearly an intentional, malicious theft of user data from Facebook, and some of that data is very granular. For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles.
Facebook says attackers exploited a feature in its code that allowed them to commandeer users' accounts.
Facebook users can check if they are affected by visiting the website's help centre.
Google+ to shut down after breach involving 500,000 users
Google who has now gone public with the data exposure wrote in a blog post that they found no evidence of data misuse. Google said it would continue to offer private Google +-powered networks for businesses now using the software.
"It allowed attackers to steal Facebook access tokens, which they could then use to take over people's accounts".
Facebook noted that the attack did not include its other apps and devices such as Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, payments, third-party apps, or advertising or developer accounts.
Hackers accessed millions of victims' highly sensitive personal data, including locations, relationship information, recent searches, and birthdates.
As the matter is still under investigation, Facebook vice president Guy Rosen told reporters that the FBI had asked them to limit descriptions of the attackers. Facebook is also already working with the FTC and the Irish Data Protection Commission, both of which are investigating the matter independently.
The breach was disclosed at the worst possible time for Facebook, which is grappling with a series of crises that have shaken user trust in the world's largest social network.
Last Friday Facebook said that it had temporarily reset access tokens of nearly 50 million accounts and as a precaution, was resetting access tokens for another 40 million accounts.
Facebook engineers are working closely with the Federal Bureau of Investigation on the hack. With an access token, an attacker could take over your account and use it as if they were you.
News of the hack emerged on 5 October when Facebook said it feared 50m users had been affected. It wasn't patched until last month, after the company's engineers noticed some unusual activity that turned out to be the attack.