The social network forced 90 million people—around 50 million victims plus an additional 40 million that may have been affected, according to the company—to log out and log back in again. That’s because the hackers stole their “access tokens,” a sort of digital key that Facebook creates when you log in and allows you to stay logged in when the Facebook mobile app wants to open another part of Facebook inside a browser, for example (this might occur when you click a link.)

An access token doesn’t include a user’s password, but since it allows a user to stay logged in having an access token means you can completely control the account.

“Parts of our site use a mechanism called single sign-on that creates a new access token,” Guy Rosen, Facebook’s vice president of product management, told reporters on a press call. “The way this works is: let’s say I’m logged into the Facebook mobile app and it wants to open another part of Facebook inside a browser, what it will do is use that single sign-on functionality to generate an access token for that browser, so that means you don’t have to login again on that window.”

The hackers took advantage of three distinct vulnerabilities chained together in order to steal the tokens, Rosen said.

The vulnerabilities have existed since at least July 2017 and were related to Facebook’s “View As” tool, which allows you to view your own profile as if you were someone else (this is a privacy feature—it allows, for example, you to check whether your ex, or grandma, or anyone who you want to hide things from can see certain posts on your page.)