Facebook’s data breach was smaller than first feared, the network has now said, but for those most seriously affected losses are vast and highly personal.

Its estimate has been revised down from 50 million users to 29 million.

Facebook said the FBI had requested it did not discuss who may be responsible for the attack, which was first revealed last week.

The breach centred on the use of access tokens, which allow users to log on more easily.

Users can visit this link to find out if they have been directly affected.

"We have not ruled out the possibility of smaller-scale attacks, which we’re continuing to investigate,” Facebook’s head of product management, Guy Rosen, said in a blog post.

"Of the 50 million people whose access tokens we believed were affected, about 30 million actually had their tokens stolen,” he said.

Access tokens are used to save users the effort of logging in every time they want to use Facebook.

Mr Rosen said of the 29 million users hit, 15 million had their names and contact details gathered.

But for 14 million users, the theft was far greater.

The stolen data included "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or pages they follow, and the 15 most recent searches”.

The remaining one million whose tokens were stolen lost no data, Mr Rosen said.

Big fine possible

"As we look for other ways the people behind this attack used Facebook, as well as the possibility of smaller-scale attacks, we’ll continue to co-operate with the FBI, the US Federal Trade Commission, Irish Data Protection Commission, and other authorities.”

In Europe, Facebook could face a potential fine of up to $1.63bn (£1.25bn), which is approximately 4% of its annual global revenue. The breach is being seen as the first major test of the EU's new General Data Protection Regulation (GDPR) which came into force in May.

“Today’s update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack,” the European Commission wrote on Twitter.

"[The] investigation into the breach and Facebook’s compliance with its obligations under GDPR continues."

