To prove the legitimacy of the data breach, hackers published private Facebook messages of nearly 81,000 users.
Without naming the extensions, Facebook explains that these malicious extensions quietly monitored users' activity, and sent data back to the hackers, without the users' knowledge.
What's going on: Hackers told BBC News they have access to 120 million accounts, which they are attempting to sell to interested parties.
Rosen had said that Facebook fixed the vulnerability and reset the access tokens for a total of 90 million accounts - 50 million that had access tokens stolen and 40 million that were subject to a "View As" look-up in 2017.
Upon further investigation, BBC Russian Service contacted five users whose private messages were leaked online and was able to verify the posts' authenticity.
Most of the affected users were based in Ukraine and Russian Federation but some were also from the UK, US, Brazil and elsewhere. All of the messages breached were of a personal nature, from the tame subject of dicussing a music concert to the more explicit.
Facebook says there's been no breach in its security, and that the data was obtained using a dodgy web extension.More news: Destiny 2 PC Version Is Free for a Limited Time
More news: U.S. charges two former Goldman bankers and financier in vast Malaysian fraud
More news: Jamal Khashoggi’s Body Was Chopped Into Pieces, Dissolved In Acid: Erdogan Advisor
"We have also contacted law enforcement and have worked with local authorities to remove the website that displayed information from Facebook accounts".
The still-unidentified hackers were asking for $0.10 per account, according to the report.
"Data from a further 176,000 accounts was also made available, although some of the information - including email addresses and phone numbers - could have been scraped from members who had not hidden it", the report reads.
The big picture: The latest security breach involving Facebook may not be the company's fault.
The BBC said there was reason to believe the 120 million claim was exaggerated.
Facebook's Rosen said that its security wasn't compromised, and urged people to remove any plug-ins they don't fully trust.