Facebook says cyber attackers used an automated program that moved from one friend to the next to steal data from 29 million of its user accounts and not the 50 million profiles it initially reported.
The company says it will message those affected over the coming days to tell them what type of information has been accessed.
The breach has left users more vulnerable to targeted phishing attacks and could deepen their unease about posting to a service whose privacy, moderation and security practices have been called into question by a series of scandals, cybersecurity experts and financial analysts say.
The attackers took profile details such as birth dates, employers, education history, religious preference, types of devices used, pages followed and recent searches and location check-ins from 14 million users.
For the other 15 million users, it was restricted to name and contact details.
Members of congress and investors have grown more concerned Facebook is not doing enough to safeguard data.
The company’s shares rose 0.2 per cent on Friday (local time), compared to a 2.2 per cent gain in the Nasdaq composite index.
Facebook cut the number of affected users from its original estimate after investigators reviewed activity on accounts that may have been affected.
Still, cyber security experts warned that the millions of users were at risk of attack.
“The bottom line is that all this data is still out there,” said Corey Milligan, a senior researcher with cyber-security firm Armor Inc.
Facebook Vice President Guy Rosen told reporters the FBI has asked the company to limit descriptions of the attackers due to an ongoing inquiry.
Mr Rosen revealed that while the attackers’ intent has not been determined, they did not appear to be motivated by the US Congressional election scheduled for November 6.
He declined to break down the number of users by country.
Facebook says it is trying to determine whether the attackers took actions beyond stealing data, such as posting from accounts.
Hackers stole neither personal messages nor financial data and did not use their access to accounts users’ accounts on other websites.