Facebook said the FBI is investigating, but asked the company not to discuss who may be behind the attack.
The company has a website its 2 billion global users can use to check if their accounts have been accessed, and if so, exactly what information was stolen.
The company believes its initial estimate of 50 million compromised login tokens - it reset 90 million in total as a cautionary measure - was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million.
In a statement the Data Protection Commission described the update as "significant", as it confirmed that the personal details of millions of Facebook users was accessed by hackers. Of that number, 14 million users had further details exposed, including gender, religion, device types, birthday, last checked-in locations, who and what they follow, and most recent searches.
In September, Facebook had said that hackers had stolen digital log-in codes to take over almost 50 million user accounts.
The hackers began by using a series of seed accounts and attacking the accounts of friends, then friends of friends, and so on down the line, eventually amassing a group of 400,000 compromised accounts. On the Facebook Help Center users can check if they have been affected and what information may have been accessed. As you can see, my account was not accessed.
Explaining the breach, Facebook said, "The attackers exploited vulnerability in Facebook?s code that existed between July 2017 and September 2018".
The hack, one of the worst in Facebook history, comes at a time when the social network is desperately trying to regain trust with its users. Canadian users have reported having to unexpectedly log in again to their Facebook accounts after the security breach. For one million users, their accounts were hacked but no data was stolen. Or you can click this link while signed into Facebook and scroll down. On September 25, we determined this was actually an attack and identified the vulnerability. It also plans to share steps they can take to protect themselves from suspicious emails, text messages and phone calls.
Despite Friday's announcement, there are still many details about the hack that have not been made public, including who was behind it and if the attackers were targeting particular users or countries.
The synergy between three separate software bugs allowed the miscreants to misuse Facebook's View As feature - which lets users to see their accounts as someone else would - to steal the access tokens associated with the viewed account.
Patrick Moorhead, founder of Moor Insights & Strategy, said the breach appeared similar to identity theft breaches that have occurred at companies including Yahoo and Target in 2013.
Earlier this year, Facebook came under fire for sharing heaps of data for over 87 million users with Cambridge Analytica.