Facebook has said hackers may have stolen account access tokens on as many as 50 million users.
The company said in a blog post Friday that it discovered attackers exploiting a vulnerability on the site earlier in the week. The bug is part of the site’s “View As” feature that lets a user view their profile as someone else.
Facebook said that it’s reset those access tokens, and an additional 40 million accounts. Anyone affected may have been logged out of their account — either on their phone or computer. Facebook also said that users will be notified once they log in.
The company has switched off the “View As” feature in the meantime while it conducts a security review.
“We have yet to determine whether these accounts were misused or any information accessed,” said Guy Rosen, Facebook’s vice president of product management. “We also don’t know who’s behind these attacks or where they’re based.”
Facebook has contacted law enforcement, the blog post said. The social network has 2.2 billion monthly active users.
“If we find more affected accounts, we will immediately reset their access tokens,” said Rosen.