CEO Mark Zuckerberg said in a call with reporters the company “patched the issue last night and are taking precautionary measures” to avoid any further damage.
The hackers were able to steal from 50 million accounts, so-called access tokens used to keep people logged into Facebook so they don’t have to constantly re-enter their passwords, explained Facebook vice president of product management Guy Rosen. With the access tokens, hackers could take control of a person’s account, effectively allowing them to do things like read personal messages, post comments, and share information with other users.
The attack is different from Facebook’s Cambridge Analytica scandal, in which an academic researcher built an app that gleaned information from Facebook, and then gave the data to a political consulting firm, violating Facebook’s policies. Although Cambridge Analytica employees were alleged to have used Facebook user data to send people personalized messages to influence their political beliefs, the firm never actually controlled Facebook user accounts without their knowledge.
About Facebook’s latest data hack, Zuckerberg said, “The investigation is still very early,” and “We do not yet know if any of the accounts were actually misused.”
Rosen said that Facebook has notified the FBI and law enforcement of the hack, which he attributed to attackers who were able to exploit three separate software bugs within Facebook’s web infrastructure. Rosen said the hackers were likely sophisticated, considering they were able to discover the bugs, realize how they were connected to each other, and carry out the attacks.
Still, Rosen said “it is hard to determine who is behind this.”
“We may never know,” Rosen said.
The latest hack is another major misstep for Facebook, which has been trying to win back consumer trust after several recent debacles. Besides the Cambridge Analytica scandal, lawmakers have criticized Facebook for failing to prevent the spread of propaganda from Russian-linked entities before the 2016 U.S. Presidential election, and is facing legal problems related to alleged discrimination caused by its automated personalized ad-targeting services.
This week, tech news site Gizmodo and a team of academic researchers reported that when Facebook users give the company their phone number for security purposes, online advertisers are able to use that information to send personalized ads.
Additionally, several top executives have recently left the social networking giant as it attempts to weather its storm of recent controversies. They include Facebook’s security chief Alex Stamos, who departed in August to join Stanford University, and communications and policy head Elliot Schrage, who left in June.
Get Data Sheet, Fortune’s technology newsletter.
Earlier this week, the co-founders of Facebook-owned Instagram abruptly announced they were leaving, reportedly due to disagreements with Facebook’s management team taking more control of the popular photo-sharing app.
Meanwhile, WhatsApp co-founder and former Facebook employee Brian Action also expressed resentment with Facebook executives in an interview with Forbes published this week over the company’s increasing influence on the messaging app, which Facebook bought in 2014 for $19 billion. Facebook executive David Marcus responded to Action’s interview and called him “low class.”
About Facebook’s latest data blunder, U.S. Senator Mark Warner said that it “is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users.”
When asked by a reporter why Facebook users should continue to trust the company after so many missteps, Zuckerberg reiterated that the company takes security issues seriously, patched the latest vulnerability, and took additional precautionary measures.
“Security is an arms race,” Zuckerberg said.
Facebook shares fell nearly 3% in midday trading on Friday to $164.30.