Facebook says hackers accessed data from 29 million accounts as part of the security breach disclosed two weeks ago.
The exact number had not been known before.
Originally Facebook said 50 million accounts could have been affected, but they did not know if they had been misused.
The hackers accessed names, email addresses or phone numbers from those 29 million accounts.
For 14 million of those accounts, hackers got even more data, such as home town, birth date, the last 10 places they checked into or 15 most recent searches.
One million accounts were affected but no information was gained.
The social media service plans to send messages to people whose accounts were hacked.
It says third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
Facebook says the FBI is investigating, but authorities asked them not to discuss who may be behind the attack.
That suggests Facebook may know or suspect who is actually behind the breach.
Facebook has said the attackers gained the ability to “seize control” of those user accounts by stealing digital keys the company uses to keep users logged in.
They could do so by exploiting three distinct bugs in Facebook’s code.
The company said it has fixed the bugs and logged out affected users to reset those digital keys.
At the time, chief executive Mark Zuckerberg, whose own account was compromised, said attackers would have had the ability to view private messages or post on someone’s account, but there was no sign that they did.
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules here