Facebook says that attack was discovered on the afternoon of Tuesday, September 25, and that the attackers exploited a vulnerability in Facebook's code that impacted "View As", a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.
Facebook later fixed the vulnerability and informed law enforcement. The company also reset the access tokens of the almost 50 million accounts that were were affected to protect their security. Facebook also took the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.
Facebook is also temporarily turning off the "View As" feature.
This attack stemmed from a change Facebook made to the video uploading feature in July 2017, which impacted "View As." The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens.
The company does not yet know if information has been misused or accessed, which is something CEO Mark Zuckerberg reiterated during a media call.
Passwords were apparently not accessed. Neither was any credit card information.
The company said there's no need for anyone to change their passwords. But people who are having trouble logging back into Facebook - for example because they've forgotten their password - should visit Facebook's Help Center.