Facebook didn't respond to a request for comment, and Rosen declined to provide specific details on the attackers because the FBI is investigating the breach.
The hackers accessed names, email addresses or phone numbers from the 29 million accounts, according to Facebook. Facebook said on Friday that, "We now know that fewer people were impacted than we originally thought", and said that 30 million people had been impacted.
Facebook said it was continuing to investigate whether the attackers took actions beyond stealing data, such as posting from accounts but had not found additional misuse.
It was done automatically, Facebook's vice president of product management, Guy Rosen, said in a press call Friday, until the hackers amassed 400,000 accounts within their own network.
It said: 'On the afternoon of Tuesday, 25 September, our engineering team discovered a security issue affecting nearly 50 million accounts. Users will also see a "customised message" in the coming days to assist in preventative measures.
Rosen said Facebook is cooperating with the ongoing FBI investigation into the breach, but would not give any details on who the hackers were or where they were based. "For 1 million people, the attackers did not access any information".
With an initial set of accounts under their control, the attackers, said Rosen, exploited the vulnerable code to run a script that collected access tokens from their friends and the friends of their friends, representing a group of about 400,000 people.
This action triggered a massive traffic spike, which Facebook engineers detected on September 16, and following investigations into the source of the traffic concluded it was a coordinated attack on September 26, patched the View As vulnerability on September 27, and went public with the breach on September 28.
Company officials declined to say what countries the hackers had targeted, but described the security breach as a "broad" attack.
A man is silhouetted against a video screen with a Facebook logo in the background as he poses with a laptop in Zenica, Bosnia and Herzegovina, August 14, 2013.
On September 27, Rosen said Facebook closed the vulnerabilities, secured affected accounts, and reset access tokens for those accounts. In the case of 14 million victims, the attackers gained access to a variety of data including locations, contact details, relationship status, and recent searches - highly sensitive data that could be used to facilitate identify theft.