How This Indian Bug-Bounty Hunter Hacked 1.6 Billion Facebook Accounts

3 min read
Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

Bug Bounty Hunting – the profession of ethical or “White hat” hackers who intentionally hack into servers and companies websites with the hope to find an exploit are finally receiving the popularity they deserve. One such bounty Hunter famous bug bounty hunter is Bangalore based Anand Prakash who managed to track a bug on that gained him unfiltered complete access to every Facebook user, or almost 1 billion profiles.  Fortunately for Mark Zuckerberg, instead of going rougue and exploiting the bug to cause havoc, steal private images, conversations, credit card details and harass/blackmail anyone, he immediately reported the bug to Facebook’s bug reporting team. In exchange for his work, Facebook instantly rewarded him US$ 15,000 or more than 10 lac rupees!

The bug

The vulnerability was relatively easy to exploit but had a massive impact. Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on

Facebook then sends a 6 digit code on the user’s phone number/email address which user has to enter in order to set a new password. To prevent brute force attacks (where a computer keeps trying every logical combination of numbers on the login page till eventually reaching the correct password), Facebook has limited 10-12 attempts per account before waiting. Exploiting this, Anand gained access to any account on Facebook.

The exploit

Brute force protection was valid only on the main homepage, However a alternate URL, and did not have the same protection. Exploiting this, he brute forced his way to gain access to any account at all by resetting their password. The newly set password could be used to login any account.


Facebook reacted immediately and fixed the bug within few hours. Just one week later, Anand received the confirmation and in light of the extremely crucial exploit, decided to reward him the bounty.

Anand has previously exposed several bugs in popular websites, including hacking 62.5 million Zomato users as well as deleting any note from any user’s account for which he was awarded 2500US$ and forced unstoppable spamming of posting on behalf of any of your friends. He was awarded 12,500 US$ for exploiting this bug.

Anand Prakash (Image source:

As you can see ethical hacking is an extremely value able profession and businesses can gain a lot from voluntarily encouraging users to find out bugs before unethical hackers find the same bug. They can save millions in data loss apart from losing the trust of millions of users. Entrepreneurs, start-ups and businesses should be encouraged to reward generously to bug bounty hunters. Does your start-up have a bug reporting reward system? Let us know in the comments on our official Facebook page, Entrepreneur India

More from Entrepreneur

Get heaping discounts to books you love delivered straight to your inbox. We’ll feature a different book each week and share exclusive deals you won’t find anywhere else.
Jumpstart Your Business. Entrepreneur Insider is your all-access pass to the skills, experts, and network you need to get your business off the ground—or take it to the next level.
Starting, buying, or growing your small business shouldn’t be hard. Guidant Financial works to make financing easy for current and aspiring small business owners by providing custom funding solutions, financing education, and more.

Latest on Entrepreneur