Facebook has revealed that approximately 50 million users were hit by a security breach which possibly enabled the hackers to take over their accounts.
The social media titan is yet to determine whether the accounts were misused or how the information was accessed.
It is also still investigating over who is responsible for the breach or where they are based.
Facebook said that the breach was discovered last Tuesday afternoon. It said that it stemmed from a change that it made to its video uploading feature last July 2017.
It said that a feature called “View As,” which enables the users to view what their profile looks like to someone else, became vulnerable.
A representative of Facebook, Guy Rosen, said that the hackers were able to “steal Facebook access tokens which they could then use to take over people’s accounts.”
In a statement that was posted on the website of the company, he said that the access tokens were the “equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”
Rosen continued: “It’s clear that attackers exploited a vulnerability in Facebook’s code.”
He added: “We’ve fixed the vulnerability and informed law enforcement.”
Approximately 90 million users will now have to log back in, following an additional 40 million accounts, on top of the first 50, were reset as a precautionary measure.
The “View As” feature has been turned off temporarily as the firm conducts a “thorough security review.”
While the investigation is still in its early stages, Rosen said that Facebook was “working hard to better understand” what had occurred.
He added: “If we find more affected accounts, we will immediately reset their access tokens.”
Rosen said that the privacy and security of the users were “incredibly important.”He also apologised for what had happened.
He stated: “If anyone wants to take the precautionary action of logging out of Facebook, they should visit the security and login section in settings.”
He continued: “It lists the places people are logged into Facebook with a one-click option to log out of them all.”
In a statement, the National Cyber Security Centre of the United Kingdom said: “Based on current information, we understand that Facebook have fixed the flaw by temporarily suspending the ‘View As’ feature.”
It added: “There is no evidence that people have to take action such as changing their passwords or deleting their profiles.
It continued: “However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
In a tweet, Damian Collins, the Chairman of the Commons’ Digital, Culture, Media and Sport Select Committee, stated: “More serious questions for Mark Zuckerberg and Facebook (Swiss: FB-USD.SW – news) – this is why (my committee) will continue to press for him to give evidence to our parliament.”
Tom Watson, Labour’s shadow secretary of the committee, said that Facebook “should have discovered this industrial scale data breach months ago.”
He continued: “It is very disappointing that it has only come to light now.”
He added: “We need to know where affected users are and exactly how the breach happened.”