The hackers - whose identities are still a mystery - accessed the names, phone numbers and email addresses of 15 million users, he said.
For another 14 million people, hackers accessed the same data along with other profile information like "username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birth date, device types used to access Facebook, education, work", he said.
Hackers were able to get their hands on "access tokens" in Facebook which allowed them to access compromised users' accounts and scrape their data.
For affected users, and another 40 million that Facebook considered at risk, the first order is to simply sign back into the app, because Facebook signed those users out automatically.
A company executive said on a conference call that Facebook will not provide country-by-country breakdowns of the affected users. But three errors in Facebook's software enabled someone accessing "view as" to post and browse from the Facebook account of the other user.
"This kind of information could help thieves create social engineering-based theft programmes, preying on the Facebook hack victims".
The vulnerability the hackers exploited existed from July 2017 through late last month, when Facebook noticed an unusual increase in use of its "view as" feature.
But the hackers went deeper into users' profiles than initially thought, the company also said Friday.
"Today's update from Facebook is significant now that it is confirmed that the data of millions of users was taken by the perpetrators of the attack", the Irish Data Protection Commission wrote on Twitter.
"For 14 million people, the attackers accessed the same two sets of information, as well as other details people had on their profiles".
Thomas Rid, a professor at the Johns Hopkins University, also said the evidence, particularly the size of the breach, seems to point to a criminal motive rather than a sophisticated state operation, which usually targets fewer people. The attackers didn't take any information from about 1 million people whose accounts were vulnerable.
Rosen also said Facebook did not find any evidence suggesting the tokens were used with the Facebook Login feature either, which would have allowed the attacker to log into third-party apps via Facebook tokens.
Facebook believes only one million of the total compromised accounts had no personal information accessed whatsoever.
The company does note that it is not ruling out "small-scale attacks", either, and is investigating.