Meta’s new centralised system for managing Facebook and Instagram logins has a weakness that may have allowed hackers to disable two-factor authentication for any given account given only the account holder’s email address or phone number.

Nepalese security researcher Gtm Mänôz noticed that the new  , which allows users to integrate all their Meta accounts (including Facebook and Instagram), did not have a restriction on the number of times a user might try to log in with their two-factor code.

If a hacker has access to a victim’s phone number or email address, they can use that information to log into the centralised accounts centre, change the victim’s phone number to their own, and then use brute force to crack the two-factor SMS code protecting the victim’s Instagram or Facebook account. There was no cap on the hacker’s number of tries, therefore this was the most crucial part of the process.

A connection was made between the victim’s phone number and the hacker’s account as soon as the code was cracked. In the event of a successful attack, Meta will still notify the target that their two-factor authentication has been deactivated because their phone number has been associated with another account.

According to Mänôz, “the greatest impact here was cancelling anybody’s SMS-based 2FA only knowing the phone number.”

With two-factor authentication disabled, a hacker might theoretically try to get access to the victim’s account by simply phishing for the password.

In the middle of September of last year, Mänôz discovered a flaw in the Meta Accounts Center and notified the appropriate parties. A month later, once Mänôz reported the flaw, Meta patched it and reimbursed him $27,200.

No one knows if any hostile hackers discovered and used the flaw before Facebook patched it. We reached out to Meta for comment, but did not hear back from them right away.