A cyber security expert has found a way to hack any Facebook account by finding weaknesses in the social network’s password reset mechanism.

Samip Aryal from Nepal discovered that by uninstalling and reinstalling the app from different users, he could manipulate the profile password reset flow and change the authentication/login password, gaining access to the account.

In fact, he summarized that the “hole” in the security he identified concerns six factors

1 – the code remained valid for two hours (enough time to locate the 6-digit code)

2 – same code sent each time within 2 hours

3 – Aryal (the attacker) could attempt as many incorrect logins as he needs, again allowing him to have many options

Using the correct code, Aryal reset the account’s password and took control, which allowed him to set a new password.

Facebook, for its part, asked for some clarification before closing in on the problem a few days later.

Enabling multi-factor authentication and managing password reset spam or messages related to our account in general are some helpful practices to protect our personal data on the platform.

If in doubt, start the password reset flow yourself, set a brand new complex password, and avoid using SMS for multi-factor authentication and instead use a trusted Authenticator app instead.