Updated 1:33 p.m. ET

Facebook says it has discovered a security breach affecting nearly 50 million accounts, and that it's not yet clear whether any information was accessed or any accounts were otherwise misused.

The vulnerability that caused the breach was found Tuesday and was fixed on Thursday night, Facebook says. The company is working with the FBI and conducting an investigation, which is "still in its early stages," the company said.

As a result of the breach, attackers could gain access to a user's account — hypothetically giving them the ability not only to view information, but to use the account as though they were the account holder.

"We do not yet know if any of the accounts were actually misused," Facebook CEO Mark Zuckerberg told reporters on Friday. "This is a really serious security issue, and we are taking it really seriously."

Facebook does not know who carried out the attacks or where they were based. They know the attackers attempted to access profile information, but not whether they succeeded; they do not yet have evidence that the attackers accessed private messages or posted to accounts.

The attack involved stealing "access tokens." Facebook explains:

"[A]ttackers exploited a vulnerability in Facebook's code that impacted 'View As', a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people's accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app." 

Nearly 50 million accounts are known to be affected, and have had their access tokens reset. An additional 40 million accounts have had their tokens reset as a "precautionary step."

"As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login," Facebook says. "After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

The "View As" feature has also been temporarily turned off, pending a security review.

The vulnerability that made the attack possible was caused by multiple bugs in Facebook's code interacting; it was introduced in July 2017. At some point attackers discovered the vulnerability and began exploiting it.

On Sept. 16th, Facebook noticed a pattern of unusual activity on the site and launched an investigation.

Copyright 2018 NPR. To see more, visit http://www.npr.org/.