Facebook’s recently-discovered data breach was more serious than originally anticipated. In late September, Facebook revealed hackers found a security loophole caused by three separate bugs that affected nearly 50 million Facebook accounts. At the time, Facebook did not reveal that any personal information had been stolen, but now the social platform is saying that 29 million people have had their personal information accessed.

Out of those 29 million, 15 million had their names and contact information (phone number and/or email) stolen. Another 14 million had their names and contact information accessed as well as other personal details including user name, gender, locale/language, relationship status, religion, hometown, birthday, current city, device types, education, work, last places they checked into via the app and more. An additional 1 million people had their access tokens taken but no personal information was accessed.

Facebook said the attack did not affect Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising or developer accounts.

Users can find out if their personal data has been accessed by visiting Facebook’s Help Center. Also, F Users can find out if their personal data has been accessed by visiting Facebook’s Help Center. Facebook will follow-up with customized email messages to the 30 million users who were affected to explain what information the hackers may have stolen and with tips as to how people can protect themselves from suspicious emails, texts and phone calls.

While Facebook acted as soon as they realized there was an issue, it seems like they are downplaying the severity of.

“We have been working around the clock to investigate the security issue we discovered and fixed two weeks ago so we can help people understand what information the attackers may have accessed. Today, we’re sharing details about the attack we’ve found that exploited this vulnerability. We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” said Guy Rosen, vice president of product management, in an October 12 blog post.

“We now know that fewer people were impacted than we originally thought. Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,” Rosen added.

Facebook said it originally identified the problem when they saw a spike of activity that started on September 14. On September 25, they determined the social media platform had been attacked, and over a two-day period, they secured user accounts by resetting access tokens. Facebook is cooperating with the FBI who is investigating. In addition, the Federal Trade Commission, Irish Data Protection Commission and the Spanish Data Protection Agency are looking into the matter.

Insider Take:

As I said in my October 4 article on the data breach, from a PR standpoint, Facebook seems to have acted swiftly. However, it is concerning that it took Facebook approximately two more weeks to determine that personal data had, in fact, been accessed. At what point did they know that information? Did they know it immediately, or did they attempt damage control before revealing that information?

What is particularly frustrating is that so many of us have come to rely on Facebook to communicate with family and friends and millions of brands and organizations rely on it as a marketing and customer service tool. To unfriend Facebook as a social media platform would be difficult, but Facebook’s reputation is getting chipped away with each scandal and breach. It will take a lot of effort on their part to regain trust from users.