According to the social media giant, the breach, caused by a change made to the 'view as' video uploading feature in 2017, theoretically allowed hackers to steal access tokens and use them to take over accounts. The vulnerability was picked up on by Facebook's engineers on September 25.
As a precaution, the company said it has reset the access tokens for the 50 million affected accounts, plus 40 million more accounts which had been subject to a 'view as' look-up over the past year, bringing the total number of people who will have to log back into their accounts to 90 million. The 'view as' feature has been temporarily turned off, and will remain disabled until a security review is complete.
The investigation into the incident, said to be in its early stages, has yet to determine whether the affected accounts were misused or any information illegally accessed. The company does not know who is behind the attacks, or where the attackers are based.
Law enforcement has been informed of the breach, the company said. Facebook promised to immediately reset the access tokens of any more accounts it may find to be affected.