How This Indian Bug-Bounty Hunter Hacked 1.6 Billion Facebook Accounts

Bug Bounty Hunting – the profession of ethical or “White hat” hackers who intentionally hack into servers and companies websites with the hope to find an exploit are finally receiving the popularity they deserve. One such bounty Hunter famous bug bounty hunter is Bangalore based Anand Prakash who managed to track a bug on Facebook.com that gained him unfiltered complete access to every Facebook user, or almost 1 billion profiles.  Fortunately for Mark Zuckerberg, instead of going rougue and exploiting the bug to cause havoc, steal private images, conversations, credit card details and harass/blackmail anyone, he immediately reported the bug to Facebook’s bug reporting team. In exchange for his work, Facebook instantly rewarded him US$ 15,000 or more than 10 lac rupees!

The bug

The vulnerability was relatively easy to exploit but had a massive impact. Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110

Facebook then sends a 6 digit code on the user’s phone number/email address which user has to enter in order to set a new password. To prevent brute force attacks (where a computer keeps trying every logical combination of numbers on the login page till eventually reaching the correct password), Facebook has limited 10-12 attempts per account before waiting. Exploiting this, Anand gained access to any account on Facebook.

The exploit

Brute force protection was valid only on the main homepage, facebook.com. However a alternate URL, beta.facebook.com and mbasic.beta.facebook.com did not have the same protection. Exploiting this, he brute forced his way to gain access to any account at all by resetting their password. The newly set password could be used to login any account.


Facebook reacted immediately and fixed the bug within few hours. Just one week later, Anand received the confirmation and in light of the extremely crucial exploit, decided to reward him the bounty.

Anand has previously exposed several bugs in popular websites, including hacking 62.5 million Zomato users as well as deleting any note from any user’s account for which he was awarded 2500US$ and forced unstoppable spamming of Facebook.com/thanks posting on behalf of any of your friends. He was awarded 12,500 US$ for exploiting this bug.

Anand Prakash (Image source: http://www.anandpraka.sh)

As you can see ethical hacking is an extremely value able profession and businesses can gain a lot from voluntarily encouraging users to find out bugs before unethical hackers find the same bug. They can save millions in data loss apart from losing the trust of millions of users. Entrepreneurs, start-ups and businesses should be encouraged to reward generously to bug bounty hunters. Does your start-up have a bug reporting reward system? Let us know in the comments on our official Facebook page, Entrepreneur India

Edition: November 2016

Get the Magazine

Limited-Time Offer: 1 Year Print + Digital Edition and 2 Gifts only $9.99
Subscribe Now