Fifty million Facebook users have been exposed to ID fraud after the biggest cyber attack on the social media giant in its history.

The company revealed that hackers were able to access accounts on an unprecedented scale due to a security hole that had remained open for more than a year.

Facebook said it had alerted the FBI over the breach, and security experts said a rogue state such as Russia may have been responsible.

The cyber defence arm of GCHQ said it was investigating the hack, which allowed attackers full access to private Facebook profiles, and advised British users to be on the lookout for fraud.

Facebook was facing questions about why it had taken almost two weeks to shut the security hole after noticing “unusual traffic” on its systems in mid-September.

The breach is the latest privacy embarrassment for Facebook, which earlier this year acknowledged that tens of millions of users had personal data hijacked by Cambridge Analytica, a political firm working for Donald Trump in 2016.

Facebook said a change to its systems in July of last year had allowed hackers to steal “tokens” - digital keys that let users access Facebook without entering their password - from 50 million accounts.