How I Could Have Hacked Multiple Facebook Accounts

Let’s get into the nitty-gritty. The only way you can reset your password on Facebook (if you’ve forgotten one) is through entering a 6 digit passcode. Well that’s 10⁶ = 1,000,000 possible combinations. Some algorithm which Facebook uses (that is yet to be cracked) generates seemingly a random 6 digit code whenever a person requests a password reset. That code does not change if you request it from mbasic.facebook.com until that code gets “used.” That could possibly mean that if 1 million people request a password within a short amount of time such that no one uses their code to reset the password, then 1,000,0001 person to request a code will get a passcode that someone from the batch has already been assigned.

There are 2 options here: 1) Facebook either stores duplicate codes for multiple users if more than 1 million people request a password reset code, or 2) Every user gets a unique code and Facebook uses some divine way to handle the case where 1 million+ users request a code. Since I don’t know much about the divine, I put my money on option 1.

Hence, I decided to send double the number of emails (2 million of them), hoping that some people from my 2 million will get duplicate passcodes. This is a simple application of the Pigeonhole Principle. Then all I have to do is pick a random passcode following this rule: Integers less than 100,000 have a lower probability of occurring than integers between ranges of 300,000 and 699,999 or 800,000 and 999,999, which have higher probability of…