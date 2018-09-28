

Facebook's app is displayed on an iPhone in this July 2018 file photo. Photographer: Johannes Berg/Bloomberg (Johannes Berg/Bloomberg)

Facebook said Friday that hackers had stolen information associated with 50 million user accounts that could have allowed them to take over the accounts, in the latest mishap for a company that has spent months struggling to regain the confidence of policymakers and the public.

The company said as many as 90 million Facebook users — out of a total of 2.2 billion — will have to log back into their accounts as a result of the breach. Notifications will appear at the top of the Facebook news feed for the 50 million who were directly affected, executives said on a call with reporters.

Using the attack, hackers were able to gain access to profile information such as users' names, hometowns and genders, Facebook said. It is possible they could have had access to more, but Facebook said its investigation is still in its early stages. No credit card information was exposed, Facebook executives said, and so far there is no evidence the attackers sought to access private messages or post fraudulent messages from the account.

The company has notified federal authorities as well as European data security officials, but declined to say whether it has reached out to other law enforcement agencies.

Facebook discovered the breach on Tuesday after noticing a spike in user activity on Sept. 16., which prompted engineers to investigate further. They soon found three interlocking bugs on Facebook’s website that attackers had been using to gain access to accounts.

The attackers exploited Facebook’s systems through a flaw in the company’s “View As” feature, the company said, which allows a Facebook user to view his or her own profile as somebody else might see it.

Embedded in the “View As” feature was a video uploader that was incorrectly generating security tokens — pieces of code that, under normal circumstances, are designed to let a user remain logged in even after navigating away from Facebook’s website.

The incident prompted Facebook to disable the “View As” feature for the time being, and users are not being asked to change their passwords. The company has not determined who is responsible for the attack.

“People’s privacy and security is incredibly important, and we’re sorry this happened,” Facebook said in a blog post. It’s why we’ve taken immediate action to secure these accounts and let users know what happened."

The company said that the security issue was patched last night.

Facebook’s stock dropped more than 3 percent following the news.