The Irish Data Protection Commission has formally begun an investigation into Facebook's recent data breach.
It will now decide whether the firm should be fined for failing to prevent hackers from being able to access up to 50 million users' accounts.
Earlier this year, the social network picked the regulator to be its "one-stop shop" for oversight of its compliance with EU privacy rules.
In theory, the watchdog can fine the US firm up to 4% of its global turnover.
Earlier, Facebook had declared that third-party apps and services which let users log in using their accounts had not appeared to have been compromised in the security attack.
Tinder and Airbnb are among those which accept Facebook log-ins as an alternative to creating an account.
Initially Facebook had suggested it was possible platforms such as these could also have been compromised.
The firm's former security chief said this was a consequence of having to report a breach at an early stage of the investigation.
The breach was announced on Friday 28 September, one day after Facebook notified the Irish data regulator, but with many unanswered questions .
Alex Stamos, who left his post as the firm's chief security officer in August, tweeted that new European privacy laws mean that firms must report data breaches before they know full details themselves.
The General Data Protection Regulation (GDPR) legislation, introduced in May 2018, states that a firm must report any security breach within 72 hours.
Interesting impact of the GDPR 72-hour deadline: companies announcing breaches before investigations are complete.— Alex Stamos (@alexstamos) October 1, 2018
1) Announce & cop to max possible impacted users.
2) Everybody is confused on actual impact, lots of rumors.
3) A month later truth is included in official filing. https://t.co/VSCVfYB8om
"You can do incident response quickly or not correctly, but not both!" he wrote.
However, some people responding argued that the public had a right to know sooner rather than later.
"The 72-hour notification brings the customer needs to the forefront, rather than shareholder value," tweeted James.
If I was in charge of #IncidentResponse I would want more time. But normally I'm the customer (or victim) - and I'd like to know asap, so I know what data/credentials etc are at risk. The 72hr notification brings the customer needs to the forefront, rather than shareholder value.— James (@jamgia) October 1, 2018
Up to 50 million Facebook accounts are believed to have been left exposed in the breach, announced last week.
An additional 40 million users were also logged out as a precautionary measure.
The issue, which was based on a weakness in a feature allowing Facebook members to view how their profile appeared to others, has now been fixed.
In a blog publicising the latest information on the attack, Guy Rosen, vice-president of product management, wrote that there was no evidence "so far" that attackers had accessed any apps using Facebook log-ins.
The breach was a result of a change made by Facebook in July 2017.
It is not yet known whether the hack affected its corporate chat app, Workplace.
The firm has no evidence yet to suggest that it has, reports Reuters.