A Bengaluru-based hacker, Anand Prakash recently found a critical flaw in Facebook’s log-in system that could have been used by miscreants to hack into other user’s Facebook account easily, putting as many as 1.6 billion users of the social media platform at risk. The vulnerability in question could apparently give a hacker full access of another’s account without any actual user interaction, writes Anand on his official blog.

“Whenever a user forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address. Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts,” he said.

He then proceeded to beta.facebook.com and mbasic.beta.facebook.com with the same issue and interestingly found “rate limiting was missing on forgot password endpoints.” He was able to successfully set a new password for his account and then use the same password to login in the account.

The flaw could give a hacker full access to a user’s “messages, his/her credit/debit cards stored under payment section, personal photos etc.”

According to Anand, Facebook has acknowledged the issue and fixed it. Anand who works at Flipkart as a security engineer has also been rewarded $15,000 in reward by the social media giant for bringing the vulnerability to light.