Out of all of Facebook’s features, the site’s bug bounty program may have the highest return on investment. For just a few thousand dollars, the social media giant incentivizes hackers around the world to find security and privacy flaws and notify the site, which fixes them quickly. However, eyebrows were raised this week when it was announced that Facebook had paid a hacker $15,000—a huge figure for the bounty program, indicating the hacker had stumbled on something major. And indeed, he had.

When a Facebook account is reset, Facebook sends a six-digit PIN to the user’s phone. That PIN then serves as a temporary password until the user can reset it. To prevent hacking, Facebook cuts users off around 10 guesses. However, security researcher Anand Prakash found that this measure was not in place on beta.facebook.com, and since every Facebook profile is also on the site’s beta version, he could flood it with PIN guesses and unlock any account. Literally: any account. And that’s why Prakash’s payout was so huge: the risk involved in this simple flaw was massive.

“One of the most valuable benefits of bug bounty programs is the ability to find problems even before they reach production,” Facebook said. “We’re happy to recognize and reward Anand for his excellent report.”

Thank goodness hackers with good intentions always seem to find these problems first. There’s no telling the kind of havoc that could be wreaked if they didn’t.