After the recent Facebook data breach, millions of Facebook users might find themselves in the cross-hairs of identity thieves and phishers.

Last month, Cyber Talk reported that Facebook exposed the information of 50 million users after a data breach. That number was eventually scaled back to 30 million after Facebook further investigated.

At the time, it was unclear who was behind the attack. Now, it appears that spammers are the culprit. The Wall Street Journal reports, “Internal researchers now believe that the people behind the attack are a group of Facebook and Instagram spammers that present themselves as a digital marketing company, and whose activities were previously known to Facebook’s security team, said the people familiar with the investigation.” The social media giant believes that the spammers hoped to profit through deceptive advertising.

The security team at Facebook identified the breach September 25, after noticing a massive download of digital access tokens—essentially keys to accounts. Although the hackers could have accessed messages, they opted instead for contact information, which included—for some—gender, relationship status, and search and check-in data.

The rich amount of personal data exposed becomes valuable information that can make phishing e-mails seem more credible. With that level of detail, spammers can specifically tailor emails, text messages, and phone calls to pose as friends, relatives, or acquaintances to trick victims. If an attacker poses as your boss in an e-mail and mentions a specific personal detail, you’re more likely to believe the sender is legitimate.

The massive data breach is one of several incidents from the past year that have dinged Facebook’s reputation, especially when it comes to privacy and data protection. Not surprisingly, Facebook is exploring buying a cybersecurity startup before the year ends, to help deal with its cybersecurity woes.

Get the full story at The Wall Street Journal.