PHOTO: Photo Illustration: Shutterstock / CNN
Now playing
03:39
Exclusive: Is Facebook doing enough to stop election meddling?
Chris, a Trump supporter, reacts to a fact check of a manipulated video shared by the Trump campaign.
Chris, a Trump supporter, reacts to a fact check of a manipulated video shared by the Trump campaign.
PHOTO: CNN
Now playing
03:58
What Trump supporters see on their Facebook feeds
PHOTO: CNN
Now playing
02:03
Watch this former exec compare Facebook to Big Tobacco
Screengrab Nick Clegg facebook
Screengrab Nick Clegg facebook
PHOTO: CNN
Now playing
07:34
Facebook exec explains the company's US election actions
Now playing
05:15
Misleading videos shared by Republicans get millions of views
Now playing
02:24
Under questioning, Zuckerberg admits Instagram was a 'competitor'
Now playing
03:31
Congresswoman grills Facebook CEO on copying competitors
PHOTO: From Facebook
Now playing
02:40
Zuckerberg blasts Trump administration for worsening pandemic
Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. This is the second day of testimony before Congress by Zuckerberg, 33, after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign.  (Photo by Chip Somodevilla/Getty Images)
Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. This is the second day of testimony before Congress by Zuckerberg, 33, after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. (Photo by Chip Somodevilla/Getty Images)
PHOTO: Chip Somodevilla/Getty Images
Now playing
03:33
Facebook meeting 'disappointing,' says ad boycott organizer
PHOTO: Shutterstock
Now playing
01:57
Facebook removes Trump ads 'for violating our policy against organized hate'
This picture taken on July 4, 2019 in Nantes, shows logos of the US online social media and social networking service, Facebook. (Photo by LOIC VENANCE / AFP)        (Photo credit should read LOIC VENANCE/AFP via Getty Images)
This picture taken on July 4, 2019 in Nantes, shows logos of the US online social media and social networking service, Facebook. (Photo by LOIC VENANCE / AFP) (Photo credit should read LOIC VENANCE/AFP via Getty Images)
PHOTO: LOIC VENANCE/AFP/AFP via Getty Images
Now playing
02:41
He quit Facebook over Zuckerberg's handling of Trump posts. Hear why
PHOTO: Glenn Chapman/AFP/Getty Images/CNN
Now playing
03:38
He says Facebook's Libra is the future. Lawmakers aren't so sure
PHOTO: YouTube/Financial Services Committee
Now playing
02:15
Zuckerberg struggles to explain whether Facebook fact checks political ads
Mark Zuckerberg remained silent after Congressman Barry Loudermilk compared him to President Trump.
Mark Zuckerberg remained silent after Congressman Barry Loudermilk compared him to President Trump.
Now playing
00:43
Watch Zuckerberg react when a lawmaker compares him to Trump
Facebook
Facebook's CEO Mark Zuckerberg delivers his speech during the VivaTech (Viva Technology) trade fair in Paris, on May 24, 2018. (Photo by GERARD JULIEN / AFP) (Photo credit should read GERARD JULIEN/AFP/Getty Images)
PHOTO: GERARD JULIEN/AFP/Getty Images
Now playing
03:21
This is how Facebook kills its competition
facebook zuckerberg origin business orig _00011530.jpg
facebook zuckerberg origin business orig _00011530.jpg
Now playing
01:47
It took Facebook 15 years to take over the world. Here's how
(CNN) —  

On Sunday, September 16, engineers at Facebook detected some unusual activity on the social media platform’s networks. It was an attack, the biggest security breach in Facebook’s history. And it would take the company 11 more days to stop it.

Now, almost a week since the public was first told of the attack, we still barely know anything about what happened.

We don’t know who the hackers were, or what they were looking for. We don’t know whether they were targeting particular people in certain countries. We don’t know how long they had access to users’ information. And we don’t know what, if anything, they took.

What we do know is that for at least 50 million users, the hackers could have seen everything. They could have logged in as if they were those users, and then accessed years of those users’ activity history on the platform — including their private messages.

Things could get very ugly. The hackers could be trolls who decide to post a database of millions of people’s private messages online for everyone to read. They could be Russian intelligence, gathering information from politicians’ personal accounts and then sitting on it until just the right moment to wreak havoc on the midterm or 2020 elections. They could be blackmailers, combing through the messages of high-value targets like politicians, government officials, and wealthy individuals.

Or maybe none of that is true. We might learn that the attackers didn’t access all the information that was exposed, or that they weren’t as sophisticated as feared, that they were just playing around, or that they never quite realized how potentially earth-shaking their accomplishment was. They might never do anything with the information they stole — or they may never have stolen anything at all.

The attackers figured out how to exploit three separate vulnerabilities in Facebook’s code. Facebook said last week it didn’t know when the hackers had figured it all out, but that the vulnerabilities had existed since July 2017.

What the attackers did before Facebook (FB) found and fixed the vulnerabilities may determine the social media company’s future.

Soon, Facebook will have to give the public, lawmakers and regulators, not just in the US but all over the world, answers to some very big questions.

Was September 16, the day the engineers noticed something was amiss, the beginning of the attack? Were the hackers siphoning off data for the 11 days took Facebook to fix the problem? Or, even worse, were the attackers in the system long before Facebook ever detected something was wrong?

The worst scenario for Facebook and its users is that the attackers had unfettered access to 50 million accounts for an extended period of time and knew exactly what they were doing.

If the hackers want to undermine Facebook or cause it lasting damage — or simply create chaos — they could at any time post the private information of millions of people openly online.

Hackers did something like that in 2015 to Ashley Madison, a dating site for people cheating on their partners, posting a searchable database of email addresses registered to accounts on the website. The public disclosure of that kind of private information can have tragic and permanent consequences; some people caught up in the Ashley Madison hack committed suicide.

When the Cambridge Analytica scandal broke earlier this year, it prompted a global outcry and Facebook’s stock tumbled 18%. That story did have the allure of a pink-haired whistleblower and Cambridge’s ties to the Trump campaign. But this breach, which has gotten far less attention, could impact many more people than Cambridge did.

Facebook relies on trust. People trust that their pictures will be seen only by those in their networks, that their private messages will be read only by the people to whom they were sent. Facebook may look like a juggernaut now, but social networks have fallen before, and if this attack destroys that trust, the company could quickly find itself in dire straits.

Figuring out who the attackers were and what they did and didn’t do is now paramount for the company.

One of the most important objectives after discovering an attack is “stopping the bleeding,” Shawn Henry, an FBI veteran who is the president of the cybersecurity firm CrowdStrike Services, told CNN Business. CrowdStrike was hired by the Democratic National Committee after it was hacked during the run-up to the 2016 election.

“You want to establish how deeply infiltrated the environment is, what has the adversary compromised, are they still there? How long have they been there?” he said, speaking not about the Facebook breach specifically, but about his experience running investigations into cyber intrusions.

We may never know who attacked Facebook. We may never know whether they stole personal information. Or we may learn the answers to both — in public and, for tens of millions of people, far too late.