It added that hackers also stole information in regard to name and contact details of the accounts of another 15 million people. The social network has put out more details about the attack which exploited a vulnerability in Facebook's code between July 2017 and September 2018 impacting the view as feature that lets people preview how their profile appears for others.
The new details come two weeks after Facebook first announced that attackers had access to 50 million users' accounts - meaning they could have logged in as those users.
Facebook has said the attackers gained the ability to "seize control" of those user accounts by stealing digital keys the company uses to keep users logged in. For those 400,000, the attackers could see what the users see as they look at their own profiles.
However, unlike other major hacks involving big companies, Facebook said it had no plans to provide protection services for concerned users. Facebook is writing the affected user to inform them about the breach in their private information.
Thirty million people have been affected by a massive hack of Facebook, with the attackers gaining access to millions of victims' highly sensitive personal data.
In its latest update, the company said that it will continue to cooperate with the FBI, the U.S. Federal Trade Commission, the Irish Data Protection Commission and other authorities on cybersecurity matters.
This action triggered a massive traffic spike, which Facebook engineers detected on September 16, and following investigations into the source of the traffic concluded it was a coordinated attack on September 26, patched the View As vulnerability on September 27, and went public with the breach on September 28. They used an automated technique to move from account to account so they could steal the access tokens of those friends, and for friends of those friends, and so on, totalling about 400,000 people.
While Facebook has cautioned that the attack was not as large as it had originally anticipated - it forced 90 million users to log out so the security of their profiles would reset - the details of what was stolen anxious security experts.
Rosen said the FBI investigation also limited what he could disclose about what the hackers' end-goal may have been, but maintained that Facebook had "no reason to believe this attack was related to the midterm elections" in the US.
It says third-party apps and Facebook apps like WhatsApp and Instagram were unaffected by the breach.
Facebook said it took a precautionary step of resetting "access tokens" for another 40 million accounts which had accessed the "view as" function.
The breach was disclosed at the worst possible time for Facebook, which is grappling with a series of crises that have shaken user trust in the world's largest social network. Particularly distressing is that the hackers accessed the last 15 searches from millions of users, a hodgepodge of text strings that could be embarrassing and revealing.