The attackers exploited Facebook's systems through a flaw in the company's "View As" feature, the company said, which allows a Facebook user to view his or her own profile as somebody else might see it.
Embedded in the "View As" feature was a video uploader that was incorrectly generating security tokens - pieces of code that, under normal circumstances, are designed to let a user remain logged in even after navigating away from Facebook's website.
The incident prompted Facebook to disable the "View As" feature for the time being, and users are not being asked to change their passwords. The company has not determined who is responsible for the attack.
"People's privacy and security is incredibly important, and we're sorry this happened," Facebook said in a blog post. It's why we've taken immediate action to secure these accounts and let users know what happened."
The company said that the security issue was patched Thursday night. Facebook's stock dropped more than 3 per cent following the news.
The disclosure adds to a brutal year for Facebook, which is still grappling with the fallout from its Cambridge Analytica fiasco and the prospect of new regulations or legislation in Washington that could target tech companies. Zuckerberg and his top lieutenants have been summoned repeatedly to Capitol Hill to answer for their company's role in spreading misinformation and hate speech online.
Mark Warner, the ranking member of the Senate Intelligence Committee, called the breach "deeply concerning" and called for a full investigation.
"This is another sobering indicator that Congress needs to step up and take action to protect the privacy and security of social media users," said Warner. "As I've said before - the era of the Wild West in social media is over."
Other lawmakers on Wednesday grilled representatives from Google, Twitter and a number of telecom companies on their approach to user privacy, in some cases demanding commitments to concrete proposals such as a requirement that companies disclose data breaches within 72 hours of discovery. The companies largely balked at discussing specifics, instead pledging to work with the Senate Commerce Committee to craft a comprehensive national privacy law.
Meanwhile, tech companies such as Facebook face growing scrutiny by state and federal law enforcement who are exploring whether to invoke antitrust law against some of the industry's practices. The Federal Trade Commission has held a series of hearings on the issue, and the Justice Department this week met with numerous state attorneys general to discuss Silicon Valley's handling of user data.
The meeting opened the door to a possible multi-state probe into the tech industry even as federal officials weigh whether they have the resources to mount an antitrust effort. On Friday, the Justice Department's antitrust chief, Makan Delrahim, said he was receptive to complaints about tech companies but that regulators lack "credible evidence" to build an antitrust case. In the United States, antitrust lawsuits typically require regulators to marshal enough economic data to persuade a judge that competition has been harmed by a company's actions.
Facebook on Wednesday notified federal authorities as well as European data security officials of the security incident, but on Friday the company declined to say whether it has reached out to other law enforcement agencies.
Ireland's Data Protection Commission - the watchdog charged with monitoring compliance with GDPR, the European Union's new data privacy law - said in a statement Friday that Facebook's disclosure "lacks detail" and that it was pushing the company to reveal more as a "matter of urgency." Violations of GDPR can carry enormous penalties: Up to 4 per cent of a company's annual revenue.