Facebook and Instagram users were left vulnerable to account takeover attacks due to a bug in a new centralized system created by Meta.

The bug was discovered by Nepalese security researcher, Gtm Mänôz, who found that the Meta Accounts Center, which helps users link all their Meta accounts, did not set a limit on the number of attempts made to enter a two-factor authentication (2FA) code.

An attacker could have taken advantage of the vulnerability by using a victim’s phone number to link that number to their own Facebook account, before attempting to brute force the 2FA code.

With no upper limit on the number of attempts, the attacker could have eventually guessed the correct code, thereby linking the victim’s phone number to their own Facebook account.

This would result in the victim’s 2FA protection being disabled and a notification being sent to the victim that their phone number had been linked to another account.

Facebook and Instagram users are advised to check their 2FA settings and ensure that their phone number is properly linked to their account to prevent any potential account takeover attacks.