Hackers used a vulnerability in the platform's code to steal other users" "access tokens' and log into their accounts.
Due to the hack, Facebook has already reset these access tokens.
It's a serious flaw: Not only do the access tokens provide access to Facebook itself, but to any third-party site which uses Facebook's single sign-on (SSO) system - many of which, like music streaming service Spotify, handle financial details.
Facebook suffered a massive data breach exposing up to 50 million accounts and a potential 40 million other users.
The use of such information could make these scams and phishing attempts look more credible, said the Singapore Computer Emergency Response Team (SingCERT), which issued an advisory for Facebook users last Saturday.
However, several Business Insider reporters who were required to log back into their accounts told the media that they did not see any type of message upon reentry.
Facebook's worst-ever security breach is a major blow to the company's effort to rebuild trust with users of the social network after a privacy scandal in March.
Access tokens, such as cards or other physical devices (as used by some banks, for example) are a solution - as long as you don't lose it. "This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users". Facebook claims there was no impact on WhatsApp users.
Zuckerberg followed that up by saying the company is "taking it really seriously", but that he is "glad that we found this and we're able to the secure accounts".
Facebook is also being coy about just who has been affected. We do not know whether or not the hackers archived private information of millions of users, and whether or not this data will surface on the darknet. If investigators find Facebook violated Europe's new General Data Protection Regulation (GDPR), the company might face fines up to $1.63 billion, according to the Wall Street Journal.
No passwords were taken in the breach, only "tokens", according to vice president of product management Guy Rosen. "We may never know", Mr Rosen said, adding that he did note that the scale and complexity of the hack would have required "a certain level" of expertise.
The hack may have violated the EU's new privacy law called the General Data Protection Regulation, which would result in a hefty fine if European Union citizens were affected. But it estimates the firm could have had access to the data of up to 87 million users, most in the United States, without their consent, and mined this information to serve the Trump campaign.