He said the FBI has asked the company " not to discuss who may be behind this attack" or to share other details that could compromise its investigation.
Facebook Inc. said that fewer users than it initially thought were impacted by hackers in the largest-ever security breach at the social-media giant two weeks ago, reducing its estimate from 50 million users affected to 30 million.
With those 400,000 accounts, the hackers used the same vulnerability to steal information on millions of Facebook users.
Out of those 30 million, hackers accessed name and contact details for half of them, Facebook Vice President of Product Management Guy Rosen said in a blog post Friday.
Out of those 30 million, hackers successfully accessed data from 29 million Facebook members. The contact information included a mix of phone numbers and email addresses.
Facebook also said that hackers were unable to access any private messages, with one notable exception: Facebook page administrators who had received or exchanged messages in that role could have seen those messages exposed.
The breach was the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had their personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016. A spokesperson for the Irish data regulator said of Friday's announcement, "The update from Facebook today is significant now that Facebook has confirmed that the personal data of millions of users was taken by the perpetrators of the attack".
The breach forced users to log back into their accounts. Post that, Facebook followed the proper procedure and notified the Federal Bureau of Investigation about the attack and is working with other law enforcement agencies to find out the people behind the attack. A scant 1 million didn't have their data accessed at all.
What's 400,000 Facebook access tokens between friends?
"We have not ruled out the possibility of smaller-scale attacks, which we're continuing to investigate", he added.
You can check whether you were affected by visiting Facebook's Help Center and scrolling down to the bottom, where you'll see a notice like this, which will indicate whether you were or weren't hacked.
On September 27, Rosen said Facebook closed the vulnerabilities, secured affected accounts, and reset access tokens for those accounts.
The site began investigating the Facebook hack after noticing activity pick up on September 14.
Facebook's lead European Union data regulator, the Irish Data Protection Commissioner, last week opened an investigation into the breach.