A security researcher found a vulnerability in Facebook’s “People You May Know” feature that allows anyone to see a users’ list of friends – even when the user has set that information to private.

The researcher, Irene Abezgauz from the Quotium Seeker Research Center, found a diabolically simple way to exploit the weakness. All a hacker would have to do would be to create a fake Facebook profile and then send a friend request to their target. Even if the targeted user never accepted the request, the hacker could see that person’s friends via the “People You May Know” feature.

In a retort to her findings, Facebook told Abezgauz that a hacker would have no way of knowing if the suggested friends represented a user’s entire list. However, Abezgauz says that is beside the point.

“I could see hundreds of suggestions,” she said. “So, you know what, it’s not all of them. It’s 80 percent, so what. There’s a reason why I made my friends list private and I don’t want people from the internet just looking at who my friends are.”

Facebook has not responded with a fix for the loophole yet, though one will likely come as the story of Abezgauz’s simple hack spreads.