Facebook has said 50 million users were affected by a security breach which potentially enabled hackers to take over people’s accounts.
The social media giant has not yet determined whether the accounts were misused or what information was accessed.
Nor does it know who is behind the breach or where they are based.
Facebook said the breach was discovered on Tuesday afternoon, and stemmed from a change it made to its video uploading feature in July 2017.
Something called “View As”, which allows users to see what their profile looks like to someone else, subsequently became vulnerable.
Guy Rosen, from the California-based company, said hackers were able to “steal Facebook access tokens which they could then use to take over people’s accounts”.
In a statement on the company’s website, he described access tokens as the “equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app”.
He added: “It’s clear that attackers exploited a vulnerability in Facebook’s code.
“We’ve fixed the vulnerability and informed law enforcement.”
About 90 million people will now have to log back in, after an additional 40 million accounts, on top of the initial 50, were reset as a precautionary measure.
The “View As” feature has been temporarily turned off as the company conducts a “thorough security review”.
While an investigation is still in its early stages, Mr Rosen said Facebook was “working hard to better understand” what had happened.
“If we find more affected accounts, we will immediately reset their access tokens,” he added.
Mr Rosen said users’ privacy and security were “incredibly important”, and apologised for what had happened.
He advised: “If anyone wants to take the precautionary action of logging out of Facebook, they should visit the security and login section in settings.
“It lists the places people are logged into Facebook with a one-click option to log out of them all.”
The UK’s National Cyber Security Centre said in a statement: “Based on current information, we understand that Facebook have fixed the flaw by temporarily suspending the ‘View As’ feature.
“There is no evidence that people have to take action such as changing their passwords or deleting their profiles.
“However, users should be particularly vigilant to possible phishing attacks, as if data has been accessed it could be used to make scam messages more credible.”
Chairman of the Commons’ Digital, Culture, Media and Sport Select Committee, Damian Collins, tweeted: “More serious questions for Mark Zuckerberg and Facebook – this is why (my committee) will continue to press for him to give evidence to our parliament.”
Labour’s shadow secretary of the committee, Tom Watson, said Facebook “should have discovered this industrial scale data breach months ago”.