Just after confirming the controversial practice of using 2FA phone numbers to send targeted ads to  Facebook users, the platform has discovered a flaw that’s left at least 50 million accounts compromised to attackers.

Announced in a blog post today, Facebook shared details on a flaw in its “View As” feature that allowed hackers to takeover Facebook accounts. “View As” is what allows users to look at their profile as others see it. Facebook’s VP of Product Management, Guy Rosen said that the recently discovered exploit allowed attackers to gain access tokens, which are what keeps users logged into their accounts over multiple sessions. These tokens are what would have let attackers takeover Facebook accounts.

Facebook’s investigation is still underway. While the flaw has been patched, it’s unclear to Facebook if the stolen tokens were used, and if so how many accounts were affected. In any case, Facebook has reset the access tokens for 90 million accounts, which means you may find yourself needing to log back in to the platform.

The vulnerability came from changes Facebook made to a video uploading feature over a year ago.

Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Finally, the security update says users don’t need to change their passwords and ends with a brief apology:

If this latest breach is making you reconsider using Facebook, check out our guide on deactivating or deleting your account.

Update: FTC commissioner Rohit Chopra has tweeted on the news saying “I want answers.”

I want answers. https://t.co/kZSttt4fmF

— Rohit Chopra (@chopraftc) September 28, 2018

Facebook has shared more details: hackers would have had access to third-party apps through compromised accounts.

uh this is bad: Facebook telling reporters now that this hack disclosed earlier today would have let hacker login to third party apps through a compromised Facebook account

so basically a Cambridge Analytica redux situation we’re potentially looking at

— Alex Heath (@alexeheath) September 28, 2018