Several users whose details have been compromised were based in Ukraine and Russia but some were also from the UK, US, Brazil and elsewhere, the report said on Friday.
“The hackers offered to sell access for 10 cents per account. However, their advert has since been taken offline,” it added.
The breach was first discovered in September and the messages were reportedly obtained through unnamed rogue browser extensions.
Facebook, however, said its systems were not breached as part of the hack.
Don’t Miss: WhatsApp to organise start-up challenge in India
“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” Guy Rose, Vice President of Product Management at Facebook, was quoted as saying.
“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”
“One example included photographs of a recent holiday, another was a chat about a recent Depeche Mode (British rock band) concert and a third included complaints about a son-in-law,” the report said.
In the biggest-ever security breach after Cambridge Analytica scandal, Facebook in October admitted that hackers broke into nearly 50 million users’ accounts by stealing their “access tokens” or digital keys.
Rosen had said that Facebook fixed the vulnerability and reset the access tokens for a total of 90 million accounts — 50 million that had access tokens stolen and 40 million that were subject to a “View As” look-up in 2017.
Ireland’s Data Protection Commission (DPC), which is Facebook’s lead privacy regulator in Europe, has opened a formal investigation into this data breach that could result in a fine of $1.63 billion.
According to Digital Trends, the latest hack involves the use of browser extensions.
“It is always best to check which source an extension is coming from, and which permissions it is being granted access to,” it said.