Facebook has seen a number of legal troubles in recent days, from gender bias claims over advertising practices to content moderators alleging they were traumatized by graphic images. But on Friday, the company announced what could blossom into its biggest legal issue to date: a data breach that affects more than 50 million users.

On a post on the company's blog, authored by Facebook vice president of product management Guy Rosen, the social network announced that it had discovered a security breach affecting almost 50 million accounts on Tuesday, Sept. 25. Facebook said it has already fixed the vulnerability and informed law enforcement of the issue.

Rosen said the vulnerability occurred through a Facebook feature called “View As,” which allows users to see what their own profile looks to someone else. “This allowed them to steal Facebook access tokens which they could then use to take over people's accounts,” Rosen wrote. “Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don't need to re-enter their password every time they use the app.”

Facebook has reset the access tokens to those 50 million accounts it knows were affected, and is currently investigating an additional 40 million accounts. It is also turning off the “View As” feature until further notice.

“Since we've only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed,” Rosen added. “We also don't know who's behind these attacks or where they're based. We're working hard to better understand these details — and we will update this post when we have more information, or if the facts change.”

A number of technology companies have been asked to pay up lately due to legal liability incurred from data breaches. Earlier this week, Uber settled for $148 million to resolve lawsuits brought by various states over a 2016 data breach. Yahoo settled a series of data breach class actions last week as well, for which it had set aside $47 million in retribution and an approved $80 million for related shareholder lawsuits.