The issue was discovered on 25 September and the social media giant said it had since taken steps to mitigate the breach and has alerted law enforcement.
Facebook CEO Mark Zuckerberg says the company doesn't know yet whether hackers who had exploited a security vulnerability have misused any of the user account information. The attackers used that vulnerability to steal "access tokens", which are digital keys that Facebook uses to keep people logged in. Facebook also took the precaution to reset access tokens of an additional 40 million accounts for those users who used the "View As" feature in the previous year.
Facebook has said that up to 50 million user accounts may have been compromised by hackers. That is enough for a phishing attack on people's other accounts, like banks or credit cards, but it does mean that no banking or sign-in information should have been at risk.
The breach is the latest privacy embarrassment for Facebook, wich earlier this year acknowledged that tens of millions of users had personal data hijacked by a political firm working for Donald Trump in 2016.
The flaw that attackers exploited stemmed from a video-uploading feature change Facebook made in July 2017, but it did not elaborate. Facebook said it does know who the attackers were or where they were based.
Powerful quakes rock central Sulawesi in Indonesia - 9/28/2018 6:03:54 AM
Hospital patients after a powerful quake rocked the island of Sulawesi and triggered a 3-metre tsunami that swept away houses. The Ministry of Foreign Affairs says there are now 488 New Zealanders registered on SafeTravel as being in Indonesia.
When they discovered this vulnerability, Facebook fixed and then reset the security tokens for nearly 50 million accounts, and to be safe, reset them for an additional 40 million other accounts. "These access tokens that were stolen show when a user is logged into Facebook and that may be enough to access a user's account on a third party site", he said.
About 90 million people will have to log back into Facebook or any of their apps that use a Facebook login, the company said.
"We are temporarily turning off the "View As" feature, while we conduct a thorough security review".
"There is no need for anyone to change their passwords".
Facebook's Head of Security Guy Rosen released a statement following the discovery of the incident. "It's why we've taken immediate action to secure these accounts and let users know what happened", he said.
The "View As" feature has also been suspended while Facebook investigates.