Facebook has said that up to 50 million user accounts may have been compromised by hackers.
The issue arose when attackers exploited a vulnerability in the social network's code for "View As" - a feature that lets people see what their own profile looks like to someone else.
This enabled them, the company said in a statement, to steal access tokens which they could then use to take over people's accounts.
"Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app," Facebook said.
The issue was discovered on Tuesday 25 September by the firm's engineering team and an investigation is ongoing.
It says it cannot say yet whether the accounts were misused or any information accessed, nor does it know who was responsible for the breach.
The company says it has fixed the vulnerability and told law enforcement about the issue.
It has also reset the access tokens of the 50 million accounts it knows were impacted, in order to protect their security.
In addition to this, Facebook says as a precautionary measure it has also reset access tokens for another 40 million accounts that have been subject to a "View As" look-up in the last year.
This means that the 90 million users impacted will have to log back into the social network, or any other apps that use Facebook to log in, when they next try to open them.
They will then be informed about the breach in their News Feed when they have accessed the app again.
As another precaution, the company is also turning off the "View As" feature temporarily while it conducts a review.
The company has apologised for the breach but says it is not necessary for people to change their passwords.
Facebook has 2.23 billion users globally.
It is not yet clear if any of those impacted by the breach are in Ireland.
The Data Protection Commissioner has said it had received notification from Facebook Ireland of the breach, but that it lacked detail.
It said it is concerned that the breach was discovered on Tuesday and Facebook is still unable to clarify the risk for users.
In a statement this evening, it said: "The Data Protection Commission has received a preliminary notification from Facebook Ireland.
"However, the notification lacks detail and the DPC is concerned at the fact that this breach was discovered on Tuesday and affects many millions of user accounts but Facebook is unable to clarify the nature of the breach and the risk for users at this point.
"The DPC continues to press Facebook to clarify these matters further as a matter of urgency."