can you tell if I understood your article right?
Since Facebook password reset requests look like this, the only two things you need are Facebook IDs and random passcodes. You can’t (even with a thousand IP addresses) pick an ID and try to repeatedly guess a corresponding passcode, but you actually can pick a passcode and repeatedly guess a corresponding Facebook ID.
And because the range of random codes is so small you have the chance of 1 to million to find a good pair, which is pretty worthy.
But I don’t understand your beginning about duplicate passcodes and stuff. Why do you need duplicate passcodes for it to work? I would just slowly and without any rush started to pick one ID after another, performed a password reset request for that ID and then tried it against my chosen passcode. Would it work or do I get it wrong?
Oh and btw you were a bit lucky. There was only about 86 % chance that your chosen passcode will fit to some of your tested IDs. Here, enjoy watching some math:
It would be soo sad if you were unlucky and didn’t match the passcode with any from those two million IDs. :-) On the other hand if I’m right I would choose the dynamic approach and tried them one by one — you might have had a lucky shot at first thousand and the remaining 1 999 000 ID checks then were just a pure DoS…