Facebook disclosed that hackers stole data from 50 million people on Friday.
In a blog post, Facebook’s vice president of product management Guy Rosen said that the company’s engineering team “discovered a security issue affecting almost 50 million accounts.”
Videos by VICE
“It’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As,” a feature that lets people see what their own profile looks like to someone else,” Rosen wrote. “This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”
[Read More: How Facebook Got Hacked]
“The vulnerability itself was the result of three distinct bugs and was introduced in July 2017,” Rosen told reporters in a press call. “It’s important to say—the attackers could use the account as if they were the account holder.”
The vulnerability exploited by the hackers is fixed and Facebook is working with the FBI, Rosen said on the call. Facebook has a total of roughly 2 billion users, so the breach impacted approximately 2.5 percent of Facebook users.
“We patched the issue last night and are taking precautionary measures for those who might have been affected,” Facebook CEO Mark Zuckerberg said in a call with reporters.
Zuckerberg said that the company’s initial investigation has not indicated that the hackers were able to access private messages, change any information, or post to accounts. He said the hackers “did try to query our APIs—name, gender, hometown, etc. we do not yet know if any private information was accessed this way.”
The company is also resetting the access tokens of another 40 million people.
“As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login,” Rosen wrote.
The company is still investigating the incident. Rosen wrote that it doesn’t know who’s behind it nor where they are from. If you were one of the around 50 million victims, or the other 40 million users potentially affected, you should’ve been forced to log in again. Zuckerberg says that those who have been affected will get a notification at the top of their news feed.
“This is a really serious security issue, and we’re taking it very seriously,” Zuckerberg said. “We have a major security effort at the company that hardens all our surfaces and investigates issues like this. I’m glad that we found this and we were able to fix the vulnerability and secure the accounts. It definitely is an issue that this happened in the first place. This underscores the attacks that our platform and community face.”
Facebook is already facing widespread criticism for how it handles users’ data—CEO Mark Zuckerberg testified in front of several Congressional committees about the Cambridge Analytica scandal, in which third parties were found to be scraping Facebook data and using it to target ads. Thursday, Gizmodo reported that Facebook has also been allowing advertisers to target users based on phone numbers that users gave the company for security purposes.
In August, Facebook’s Chief Security Officer Alex Stamos left the company. At the time, Facebook announced that the company has no plans to replace him.