Anand Prakash from India discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account’s password. The vulnerability actually resides in the way Facebook’s beta domains handle ‘Forgot Password’ requests. Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts. Facebook has not implemented rate-limiting in its password reset process on the beta sites.
Source: https://thehackernews.com/2016/03/hack-facebook-account.html