Back On September 28, Facebook (FB) announced that as many as 90 million users may have had their “access tokens”, which keep people logged into their account, stolen by hackers. The number was subsequently reduced to 30 million accounts whose phone numbers and email addresses were accessed in the largest security breach in the company’s history.

Of the 30 million exposed, 14 million users had much more data harvested, including; “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches,” according to the company.

It now appears that their private messages were also compromised.

According to the BBC, hackers appear to have compromised and published private messages from at least 81,000 Facebook users’ accounts. The unknown perpetrators also told the BBC Russian Service that they had details from a total of 120 million accounts, which they were attempting to sell.

Meanwhile, Facebook said its security had not been compromised noting that the data had probably been obtained through malicious browser extensions.

Despite denying it had been breached, Facebook said it had taken steps to prevent further accounts being affected even though just over a month ago it admitted a massive hack had broken through its security tokens.

Meanwhile, the BBC said that while many of the users whose details were compromised are based in Ukraine and Russia, some are from the UK, US, Brazil and elsewhere.

“We have contacted browser-makers to ensure that known malicious extensions are no longer available to download in their stores,” said Facebook executive Guy Rosen.

“We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts.”