In theory Facebook could be fined if it is found to be in breach of GDPR, Europe's data protection rules.
It has not revealed whether other services which people use their Facebook log-ins for - such as Tinder and Spotify - have also been affected.
Facebook has now fixed the issue.
People potentially affected were logged out of their accounts on Friday and those definitely affected were notified.
Facebook says it has identified 50 million accounts which were certainly involved in the breach, with an extra 40 million also warned as a precautionary measure.
It is also unknown whether networks of friends were also affected, as their data would have been visible to anyone with access to an individual's account.