Hackers may have accessed as many as 50 million Facebook user profiles without those users’ permission, Facebook said today.
Facebook says the hackers took advantage of a “vulnerability in Facebook’s code” that gave them access to special “digital keys” that keep people logged into their accounts without needing to re-enter their password.
Getting these digital keys meant the hackers could then use those keys to “take over people’s accounts,” the company wrote in a blog post.
“Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” the company’s blog post reads. “We also don’t know who’s behind these attacks or where they’re based.”
Facebook CEO Mark Zuckerberg told reporters Friday that the company discovered the vulnerability on Tuesday and fixed the issue Thursday night. He said that it’s unknown if these hackers were able to successfully access personal data from Facebook users.
It’s the latest in what has been a long list of incidents with Facebook over the past two years. A software bug unveiled earlier this year changed users’ privacy settings without their knowledge or consent. A separate bug accidentally unblocked people that users had chosen to block, potentially jeopardizing user safety.
This latest security issue, happening less than six weeks before the U.S. midterm elections, is certainly bad news for the company. Facebook has pledged to better prepare its service for the upcoming midterms after Russian actors used so-called fake news and bot accounts to try and influence the 2016 U.S. presidential election.
Facebook stock is down more than 3 percent on the news.
Facebook says that it reset these digital keys for the 50 million affected accounts and for an additional 40 million accounts that were also potentially exposed to the vulnerability. As a result, those 90 million people will need to log back into their accounts the next time they want to use Facebook. (For context, that’s less than 5 percent of Facebook’s total user base, which passed 2.2 billion in June.)
Facebook is hosting a call with reporters at 10 am PT to discuss the breach. We’ll continue to update this story as we learn more.
Update: There was not a lot of new information on Facebook’s press call with reporters. CEO Mark Zuckerberg and Guy Rosen, a Facebook product executive who works on security, took questions for about 25 minutes and stressed that it’s still unclear whether hackers actually gathered personal information from user accounts.
They did, however, try to gather personal information about people like their name, gender and hometown, Rosen said.
“We haven’t seen that the access tokens were used to access private messages, or posts, or post anything to the accounts,” Rosen added. “It’s important to say: The attackers could use the account as if they are the account holder.”
It’s also unclear who was behind the attack and whether or not it may have been politically motivated. “Our investigation is early and it’s hard to determine exactly who was behind this,” Rosen said. “We may never know.”
This article originally appeared on Recode.net.