Facebook announced a major security breach on Friday, and information has been trickling out ever since.
While the public waits for a full accounting of what happened and who was affected, here's a quick overview of what we know so far.
What happened?
Facebook says attackers were able to get into and take control of about 50 million accounts, as if they were the users in charge of those accounts. But the company has not said yet if any of the accounts were actually taken over and used, and if so, for what purpose.
A further 40 million accounts connected to the compromised accounts were deemed "at-risk" by the social media giant. It's not clear if these "connected" accounts include only Facebook "friends" of the affected accounts, or if other connections like shared private group membership might also have exposed users to risk.
The incident also could have affected third-party accounts, like Instagram, that let users log in with their Facebook accounts, the company has acknowledged. But we won't know for sure until Facebook and law enforcement agencies complete their investigations.
Facebook knows how it happened: the attackers used three previously unknown application vulnerabilities, which only allowed access if they were exploited together.
But Facebook says it does not know who did it or their motivation – a piece of the investigative puzzle that could take months to uncover.
What should Facebook users do now?
Not much.
Facebook automatically logged the 90 million compromised or at-risk users out of their accounts, then asked them to log back in. That patched the vulnerabilities for those users. Those 90 million represent only about 4 percent of the company's user base as of the second quarter.
Personally identifiable information, like social security numbers, passwords or credit cards, weren't stolen.
If this hack and the other privacy and security incidents over the last year are enough to make you want to quit Facebook entirely, you can follow CNBC's guide on how to deactivate your account.
Will users defect?
Probably not. Facebook's scandals of the past year barely put a dent in its active users. Daily active users remained flat between Q1 and Q2 at 185 million users, but that's probably more because of saturation -- nearly everyone in North America who's online already has a Facebook account. Active users saw a small dip in the European Union, which the company has attributed to new privacy regulation in the region, but grew in the Asia-Pacific region.
This could change if details about the attack – such as how or why these accounts were used – are particularly egregious. But so far, Facebook has shown that it's able to keep users despite weathering security storms.
Will it hurt Facebook's stock?
There could be some short-term effects as more information comes out, but it probably won't have a major effect on the stock long-term.
Facebook's stock dipped about 2% after the announcement on Friday, and has not recovered.
By contrast, the price fell 24% after second-quarter earnings after the company missed revenue expectations and warned of a slowdown.
But in general, data breaches don't have huge long-term repercussions on stock prices. Even major breaches that cut to a company's core business – like Equifax's mishap involving consumer credit data in September 2017 – show markets tend to forgive and forget. Equifax's stock is almost back to the level it was before the breach, after losing more than a third of its value in September of last year.
Will regulators take notice?
This is where Facebook is likely to see the most significant bottom-line impact.
The European Union's General Data Protection Regulation, which imposes a maximum fine of 4 percent of a company's yearly turnover, could theoretically lead to a fine as big as $1.6 billion. The European Data Protection Commissioner has released statements indicating they're displeased with the company's response thus far.
In the U.S., the Federal Trade Commission will likely also look into the incident. FTC Commissioner Rohit Chopra Tweeted "I want answers on Friday." The Commission may not have the heft of GDPR's new fine structure, but their ability to monitor companies for years after an incident is significant.
Lawsuits will also surely follow, especially if Facebook reveals some customers were victimized by having their accounts misused, or their data stolen and misused elsewhere. Uber recently paid $148 million to settle with 50 states over a breach involving personal information.
It's also possible regulators will question Facebook's cybersecurity organizational structure. The company's chief security officer, Alex Stamos, left his position in August, and the company said at the time it would not replace him. Instead, they have opted to decentralize the security function throughout the company's lines of business, an unconventional decision that may invite scrutiny now that the company has suffered a significant breach.
