Facebook has admitted that 50million accounts were accessed by hackers – who were able to see all of your personal info, photos, and even private messages.
The monumental blunder was slipped out as a blog post late on Friday afternoon, three days after the attack was first discovered.
Speaking to reporters, Facebook revealed the significant danger behind this hack: "Attackers could use the account as if they were the account holder."
As a precaution, Facebook is now logging around 90million people out of their accounts. You'll have to log back in to Facebook – that includes any apps that you might log into with Facebook, like Spotify.
"On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts," said Facebook's Guy Rosen.
We’re taking this incredibly seriously and wanted to let everyone know what’s happened and the immediate action we’ve taken to protect people’s security."
According to Facebook, attackers exploited a vulnerability in the website's code.
It specifically impacted "View As", which is a feature that lets you see what your own profile looks like to someone else.
Hackers used this feature to steal Facebook's access tokens.
Access tokens are like digital keys that keep you logged into Facebook – so you don't have to re-enter your password every time you use the app.
This means that hackers would've been able to access your Facebook account, potentially giving them access to your entire profile, your private messages and more.
"This attack exploited the complex interaction of multiple issues in our code," Facebook admitted.
"It stemmed from a change we made to our video uploading feature in July 2017, which impacted 'View As.'
"The attackers not only needed to find this vulnerability and use it to get an access token, they then had to pivot from that account to others to steal more tokens."
Facebook says it has "fixed the vulnerability", and told law enforcement about the issue.
The world's largest social network has also reset the access tokens for the 50million accounts that Facebook admits were affected.
Facebook is also resetting access tokens for another 40million accounts that have been subject to a "View As" look-up in the last year – as a precautionary measure.
This means that roughly 90million users will be logged out of Facebook, and any apps linked to Facebook.
When you log back in, you'll see a notification at the top of your News Feed explaining what happened.
Facebook has also temporarily turned off the "View As" feature so it can "conduct a thorough security review".
Facebook says it's "only just started our investigation", so it can't confirm whether your account was "misused or any information accessed".
The company also admits that it's clueless about who the hackers are.
"Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed," said Facebook's Guy Rosen.
"We also don’t know who’s behind these attacks or where they’re based.
"We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change.
"In addition, if we find more affected accounts, we will immediately reset their access tokens."
Facebook said that there was no evidence private message had been accessed, but that hackers were able to "use [accounts] as if they were the account holder".
That means they could have accessed your profile information, your posts, your friends list, your photos and videos, the groups you follow, anything you've ever liked, the cache of data Facebook stores on you, and even your private messages.
However, Facebook confirmed that credit cards and passwords hadn't been stolen.
Details are still muddy, but Facebook said your password won't have been compromised.
Attackers were able to log on as you and browse your profile and messages, but this wouldn't give them access to your password.
"There's no need for anyone to change their passwords," Facebook said.
Still, we think it's a good idea to change your passwords anyway, because hackers may have been able to glean details about your login credentials through information around your Facebook profile.
This goes for your Facebook password and any other passwords you use on other sites or services.
Facebook declined to tell The Sun how many UK users have been affected. Facebook also failed to take any questions from The Sun during a conference call about the hack on Friday evening.
To celebrate his debut solo single 'Is This Still Love', we brought Danny Jones back home to Bolton for a training session at Bolton Wanderer
Aloe talks about his relationship with Avicii
Listen why George compared himself to an Italian chef
He's one of the coolest men in music... and he joined Total Access to chat about his new World Cup single!