Facebook hacking could haunt its victims for years.

On Friday, Facebook announced good news about the massive data breach that was revealed on September 28 – followed by a lot of bad news.

The good news is that the number of users whose accounts have been hacked is 30 million, down from Facebook's initial estimate of 50 million. Facebook also claims that user accounts on Instagram, Oculus, WhatsApp and third-party apps have not been affected. (Here's how to tell if your Facebook account has been hacked.)

The bad news is that Facebook can now confirm that the vast majority of these victims have actually stolen their personal information. (All he had said before was that their accounts were accessible.) And while Facebook still does not know what hackers intend to do with this information, there are many possibilities. Regarding who did it, Facebook said, "We are cooperating with the FBI, which is actively investigating and has asked us not to discuss who might be behind this attack."

The security update came two weeks after Facebook revealed for the first time that a series of vulnerabilities allowed hackers to take control of millions of users. They did it in part by abusing a feature called "View As" that was meant to show you what your Facebook profile looked like to other people. The violation is presumed to be the worst in Facebook's history, even if it did not provoke the same level of indignation as the Cambridge Analytica scandal earlier this year.

I say "still" because for the moment, we still do not know the total impact of data theft. But we may never know the true scope, because much of the impact could be in the form of individual identity theft and spear-phishing attacks that are difficult to associate directly with stolen information on Facebook accounts. users.

First, the numbers. Of the 30 million people affected, Facebook said that 1 million had no information stolen. It's reassuring for these relatively few people. Fifteen million others had stolen personal information, such as their name and contact information. This is bad especially if the contact information included people's cell phone numbers, let alone if they used these numbers for two-factor authentication, an essential security measure in many online services.

But what is really a shame is that a much richer set of personal data has been stolen from 14 million Facebook users. In a blog post, Facebook said the data included the following:

User name, sex, location / language, relationship status, religion, hometown, current city declared, date of birth, types of devices used to access Facebook, education, at work, at the last 10 places in which they logged in or tagged, website, people or the pages they follow and the 15 most recent searches.

Yuck! This is the kind of information that could be used to harass a person, harass her, her family or herself, to answer security questions that protect her online accounts, to deceive her by pretending to be a person she knows, or to make her cheat by clicking on a malicious link. or disclose sensitive information. These are just some of the possibilities that come to your mind.

Facebook leader Guy Rosen said in a press call on Friday that the company can not yet tell if the victims of the hacking have been targeted for phishing attacks, but at least he realized that Facebook was at least aware of the possibility. He added that when the company informs the victims, it will also ask them to monitor suspicious emails or SMS that might try to take advantage of the stolen data.

When Facebook announced the violation for the first time, some took it for reassuring that the users' passwords were not stolen. Instead, hackers used something called digital access tokens to access their accounts without entering a password. It also comes as a kind of relief that Facebook thinks the credit card information has not been unveiled.

But in the long run, stolen passwords or credit card numbers may have been less damaging than those of hackers. After all, you can change your passwords or get a new credit card. It's not so easy to change your hometown, mobile phone number, religion, friends and family, or search history.

This is the type of information that could continue to haunt people for years, if not for the rest of their lives, in the wrong hands. And although we do not yet know exactly who this information belongs to, it's a safe bet that they are not the hands you'd like to play in your personal life. This data can also be sold or even publicly disclosed on online forums.

There are still many things we do not know about this hack. We can expect more sordid details to spread over time. The best hope now for the people affected is that the one who stole information from them was cautious, or better still, did nothing. But that seems unlikely. And the scariest part is that we could never know for sure.