The issue was discovered on Tuesday 25 September by the company's engineering team. "We're taking this incredibly seriously and wanted to let everyone know what's happened and the immediate action we've taken to protect people's security".
The social media giant said it had reset tokens for 50 million affected users as well as a further 40 million extra users as a precaution. It may force the numerous major companies and startups reliant on Facebook's login service to audit their own systems for evidence of malicious activity as a result.
Facebook on its newsroom page posted a almost 900-words report informing about a new security breach on September 28. Mark R. Warner (D-VA) released a statement describing the hack is "deeply concerning" and calling for a full investigation. "Ireland's data-protection regulator said Facebook hasn't shared enough information about the attack".
The social network's lead supervisory authority in the region, the Irish Data Protection Commission (DPC), tweeted an update on Sunday that it is "awaiting from Facebook further urgent details of the security breach impacting some 50m users, including details of European Union users which have been affected, so that we can properly assess the nature of the breach and risk to users".
Facebook also admitted this week that it uses phone numbers provided for security purposes to target individuals with ads as well as shadow contact information - data not directly provided by the user but obtained from their "friends" list.
Facebook is the largest social media platform in the world.
Hackers could have also gotten into third-party applications linked to Facebook accounts, but it was too early to determine whether that happened, according to the social network.
Manchester United crash again as City cruise past Brighton
It's something the manager talked about on the training pitch in front of the cameras. He's there to put a team out that he thinks can win the game.
The breach was made possible by exploiting the "View As" feature, which allows users to see how their profile looks to strangers. "Once logged in, the attackers could take control".
These access keys also let the attackers theoretically access any other services that someone used Facebook's login service to log in to, whether that's dating app Tinder, or a niche smartphone game, and gain access to highly personal information.
Not the first time ... probably not the last ...
The hack is the latest setback for Facebook during a tumultuous year of security problems and privacy issues.
To be sure, headlines about another hack at Facebook - it's like, on one hand, do they still surprise anyone anymore? In April, Zuckerberg appeared at a congressional hearing focused on Facebook's privacy practices.
A greater number of Facebook users' personal information was compromised just months ago.
Anyway, Facebook has since now patched the vulnerabilities and revoked the affected access tokens that were stolen by hackers.