Facebook has discovered a massive security breach affecting 50 million user accounts - including those of Facebook boss Mark Zuckerberg and COO Sheryl Sandberg.

The social media giant said attackers exploited the site's 'View As' feature, which lets people see what their profiles look like to other users.

The unknown attackers took advantage of a feature in the code called 'Access Tokens,' to take over people's accounts, potentially giving hackers access to private messages, photos and posts - although Facebook said there was no evidence that had been done.

The hackers also tried to harvest people's private information, including name, sex and hometown, from Facebook's systems.

Facebook said it doesn't yet know if information from the affected accounts has been misused or accessed, and is working with the FBI to conduct further investigations.

However, Mark Zuckerberg assured users that passwords and credit card information was not accessed.

As a result of the breach, the firm logged roughly 90 million people out of their accounts earlier today as a security measure.

CEO Mark Zuckerberg penned a post on his Facebook page about the incident, saying the issue was 'patched last night' but that it will continue to investigate the origins of the attack. Zuckerberg also assured users that passwords and credit card information was not accessed

WERE YOU AFFECTED BY THE FACEBOOK BREACH? Facebook said it logged out around 90 million users as a result of the hack. Affected users will be prompted to log back in Facebook when they try and access the site. Users are sent a six-digit code via email or to a mobile device that authenticates their identity, which they're then instructed to enter on Facebook's site. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened. Facebook also said it was temporarily turning off the 'View As' feature while it conducted a thorough security review. Advertisement

The attack marks the latest in a string of recent setbacks for Facebook, which is still recovering from the fallout over the Cambridge Analytica scandal earlier this year, which saw some 87 million users' data shared with the research firm without their knowledge.

As a result, some experts and officials have grown concerned about whether the firm can effectively manage and protect users' data.

'The implications of this are huge,' Justin Fier, director of cyber intelligence at security company Darktrace, told Reuters.

The breach could also cause problems for Facebook with European privacy laws.

Facebook said it hasinformed the Irish Data Protection Commission about the breach, a step required by Europe's GDPR regulations.

The commission said it received the notification, but expressed concern with its timing and lack of detail.

Virginia Sen. Mark Warner called the hack 'deeply concerning' and called for a full investigation.

'...Today's disclosure is a reminder about the dangers posed when a small number of companies like Facebook or the credit bureau Equifax are able to accumulate so much personal data about individual Americans without adequate security measures.

'This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users. As I've said before - the era of the Wild West in social media is over,' he added.

Not long after the breach was announced, some Twitter users also began reporting that Facebook was blocking them from sharing links to stories about the hack from the Associated Press and The Guardian.

When users attempted to share the links, they were served a message that read: 'Our security systems have detected that a lot of people are posting the same content, which could mean that it's spam. Please try a different post.'

The move caused some to speculate that it was a result of Facebook suppressing negative coverage of itself. However, Facebook later confirmed to the New York Times that it was a result of an error with the firm's spam detection tools.

Friday's announcement sent Facebook's stock plunging by as much as 3.4 percent in afternoon trading, adding to an already rough year for Facebook shares, which have fallen 6.7 percent so far this year.

Friday's news sent Facebook's stock down as much as 3.4 percent in afternoon trading, adding to an already rough year for Facebook shares, which have fallen 6.7 percent so far this year

Zuckerberg penned a post on his personal Facebook page about the incident, saying the issue was 'patched last night' but that the firm is working with law enforcement, including the FBI, to investigate the origins of the attack.

'On Tuesday, we discovered that an attacker exploited a technical vulnerability to steal access tokens that would allow them to log into about 50 million people's accounts on Facebook,' Zuckerberg wrote.

Access tokens don't include a user's password, but they do allow users to log into a Facebook account without needing it.

Not long after the breach was announced, some Twitter users also began reporting that Facebook was blocking them from sharing links to stories about the hack from the Associated Press and The Guardian. Facebook admits to security breach affecting 50 MILLION users

'Our security systems have detected that a lot of people are posting the same content, which could mean that it's spam,' the notice said. 'Please try a different post.'

Zuckerberg acknowledged in a statement to reporters that Facebook needs to take additional steps to prevent these kinds of issues from occurring in the future.

'We're taking it really seriously...We have a major security effort at the company that hardens all of our surfaces,' Zuckerberg said in a call with reporters.

'I'm glad we found this. But it definitely is an issue that this happened in the first place.'

Facebook doesn't know whether the accounts were misused, and hasn't yet found any evidence of them being misused.

The social media giant said attackers stole Facebook access tokens through its 'view as' feature, which they could then use to take over people's accounts

However, speaking with reporters, Zuckerberg said 'of course that may change,' meaning that there's a possibility they could find evidence of misuse upon further investigation into the incident.

Facebook said it's now working with the FBI to further investigate the incident.

Guy Rosen, Facebook's vice president of product management, said the breach appeared to stem from a bug in the firm's video-uploading program. Facebook began allowing users to upload videos to its site last year.

'The vulnerability itself was the result of three distinct bugs and the integration between them and it was introduced July 2017 through a video uploader,' Rosen said on the call with reporters.

'The attack did try to use the API to access profile information like name or gender,' Rosen said.

HOW TO PROTECT YOUR FACEBOOK ACCOUNT Experts have warned Facebook users to be wary of possible 'phishing attacks,' where an attacker poses as a legitimate entity and tricks a user into opening a malicious message, email or text. This can lead to the installation of malware, freezing of a system through ransomware or theft of sensitive information. Such information can be used to make purchases, steal funds or facilitate identity theft. Following the announcement of the breach, Facebook issued guidance on the next steps to take. – 90 million accounts have been automatically logged out, but no one needs to change their passwords. – If you are having difficulty logging back in – for example because of a forgotten password – you should visit Facebook's help centre. – If you have not been logged out automatically, but want to log out as a precaution, visit the 'Security and Login' section which lists all the places you are logged in to Facebook. – Use the one-click option to log out of Facebook on all PCs and devices you may have accessed it on. Advertisement

However, Rosen emphasized that the breach let attackers operate the profile as if they were the user.

'...It's important to say: The attackers could use the account as if they are the account holder.'

Facebook said it did not yet know the origin or identity of the attackers. However, the social media giant said in a blog post that it continues to investigate the origins of the breach

While users' credit card information and passwords may not have been accessed, there's still the possibility that other sensitive information was, said Simon Migliano, head of research and cybersecurity expert at the online privacy website Top10VPN.com.

'Even if these accounts were quickly disabled, or login details changed, at the very least the hackers will have got their hands on primary email addresses,' Migliano explained.

'To get hacked once is careless, to get hacked again is frankly unforgivable, and this could irrevocably damage the trust users have in Facebook.

'Who is ever going to believe them again when they say they have fixed the problem. It just feels like one excuse after another,' Migliano added.

FACEBOOK'S PRIVACY DISASTERS Facebook made headlines earlier this year after the data of 87 million users was improperly accessed by Cambridge Analytica, a political consultancy. The disclosure has prompted government inquiries into the company's privacy practices across the world, and fueled a '#deleteFacebook' movement among consumers. Communications firm Cambridge Analytica had offices in London, New York, Washington, as well as Brazil and Malaysia. The company boasts it can 'find your voters and move them to action' through data-driven campaigns and a team that includes data scientists and behavioural psychologists. 'Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections,' with data on more than 230 million American voters, Cambridge Analytica claims on its website. The company profited from a feature that meant apps could ask for permission to access your own data as well as the data of all your Facebook friends. The data firm suspended its chief executive, Alexander Nix (pictured), after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump This meant the company was able to mine the information of 87 million Facebook users even though just 270,000 people gave them permission to do so. This was designed to help them create software that can predict and influence voters' choices at the ballot box. The data firm suspended its chief executive, Alexander Nix, after recordings emerged of him making a series of controversial claims, including boasts that Cambridge Analytica had a pivotal role in the election of Donald Trump. This information is said to have been used to help the Brexit campaign in the UK. It has also suffered several previous issues. 2013, Facebook disclosed a software flaw that exposed 6 million users' phone numbers and email addresses to unauthorized viewers for a year, while a technical glitch in 2008 revealed confidential birth-dates on 80 million Facebook users' profiles. Advertisement

The firm learned of the incident on Tuesday and notified law enforcement on Wednesday. By Thursday, the firm had patched the vulnerability and started resetting access codes.

My personal data fears Megan White, 23, one of the 50million Facebook users logged out of their accounts, now fears her personal data may have been breached. ‘If someone has hacked me they could have my mobile number, job details and email address,’ she said last night. ‘You don’t know who has got that information now or what they could do with it.’ She had no idea why she had been logged out of her account yesterday morning until she read about the hack later. Miss White, from North London, is considering deleting her account. Advertisement

'We're also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a 'View As' look-up in the last year,' Rosen wrote in a separate blog post.

'As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login.

'After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.

Users began noticing on Thursday that they had been logged out of their account.

Affected users are prompted to log back in Facebook when they try and access the site. They'll then be sent an authentication code to an email address or mobile device.

Users are instructed to enter the code in order to log back into their Facebook account. However, not all users were able to get back into their account.

Facebook said it did not yet know the origin or identity of the attackers.

'Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,' Rosen explained.

'We also don't know who's behind these attacks or where they're based. We're working hard to better understand these details — and we will update this post when we have more information, or if the facts change.

'In addition, if we find more affected accounts, we will immediately reset their access tokens,' he added.