For years, Facebook has quietly paid freelance security researchers to find and report bugs within its systems. And it’s a good thing they do, because these so-called “bug bounty hunters” frequently turn up serious privacy and security issues for the company to address. The latest example occurred this week when an independent researcher notified the social media giant about a flaw in its new Accounts Center feature that would’ve allowed hackers to turn off a user’s two-factor authentication (2FA) protections just by knowing their phone number.

According to the researcher, a bad actor could launch a “brute force” attack to link a user’s Facebook and Instagram accounts, effectively bypassing their security settings.

“If the phone number was fully confirmed and 2FA enabled in Facebook, then the 2FA will be turned off or disabled from victim’s account,” the security researcher wrote. “And, if the phone number was partially confirmed (that means only used for 2FA), it will revoke the 2FA, and also the phone number will be removed from [the] victim’s account.”

Thankfully, Facebook says there’s no indication this hack was exploited in the real world. However, if this intrepid researcher hadn’t discovered it, it’s very likely that it could’ve eventually been exploited to attack unsuspecting users.

Recommended Resources

Choose what the experts use: award-winning cybersecurity you can trust and rely on.

Surf the web truly incognito. Try Bitdefender Premium VPN, the ultra-fast VPN that keeps your online identity and activities safe from hackers, ISPs and snoops.

System Mechanic 14 – Make your computer run like new. Winner of 200+ Editor’s Choice awards!