Facebook has said 50 million user accounts have been affected by a security breach.
The social media giant has not yet determined whether the accounts were misused or information was accessed.
Nor does it know who is behind the breach or where they are based.
Facebook said the breach was discovered on Tuesday afternoon, and stemmed from a change it made to its video uploading feature in July 2017.
Guy Rosen, from the California-based company, said hackers were able to “steal Facebook access tokens which they could then use to take over people’s accounts”.
In a statement on the company’s website, he described access tokens as the “equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app”.
He added: “It’s clear that attackers exploited a vulnerability in Facebook’s code.
“We’ve fixed the vulnerability and informed law enforcement.”
About 90 million people will now have to log back in to their accounts, after an additional 40 million accounts were reset as a precautionary measure.
While an investigation is still in the early stages, Mr Rosen said the company was “working hard to better understand” what had happened.
“If we find more affected accounts, we will immediately reset their access tokens,” he added.