They told me directly they will not be taking action against it.
In the wake of a massive phone number leak, a security researcher demonstrated that Facebook's infrastructure harbored a quieter but equally consequential flaw — one that could strip the privacy from millions of email addresses, linking them to real identities at industrial scale. The vulnerability was not new, the researcher's warnings were not heeded, and the company's initial response was to close the report without review. What unfolded was less a story about a single exploit than about the distance between a platform's stated commitment to privacy and the institutional will required to defend it.
- A tool called Facebook Email Search v1.0 could process up to 5 million email addresses per day, matching them to Facebook profiles regardless of users' privacy settings — turning hidden contact information into an open directory.
- For roughly $10 and three minutes of effort, the researcher linked 6,000 email addresses to real accounts, demonstrating that the barrier to exploitation was disturbingly low.
- Facebook's bug bounty program closed the report without routing it to the relevant engineering team, and when pressed, the company told the researcher the vulnerability wasn't worth fixing — prompting him to go public.
- Facebook later acknowledged the report was 'erroneously closed' and claimed engineers had mitigated the technique, but declined to address why they had previously dismissed it as insignificant.
- The researcher warned this was the same vulnerability Facebook had patched earlier in the year, raising doubts about whether the fix would hold — and whether the company's security culture was equipped to treat recurring data exposure as the emergency it represents.
Facebook was already absorbing the fallout from a leak of 500 million phone numbers when a researcher surfaced something comparably alarming: a tool capable of systematically matching email addresses to Facebook accounts, bypassing whatever privacy settings users had enabled to keep those addresses concealed.
The tool, Facebook Email Search v1.0, could process up to 5 million addresses a day. In a video the researcher released publicly, he demonstrated the mechanics — feeding 65,000 email addresses into the system and watching matches return in real time. The cost of entry was almost negligible: $10 for 200 Facebook accounts, and within three minutes, 6,000 email addresses had been tied to identifiable profiles.
The researcher had reported the flaw through Facebook's bug bounty program. The company closed the report before it reached anyone who could act on it. When he followed up, he says Facebook told him plainly that the vulnerability wasn't significant enough to fix. Left with no other recourse, he published the demonstration.
Facebook's public response acknowledged the procedural failure — the report had been 'erroneously closed,' a spokesperson said — and claimed engineers had since disabled the technique. But the company did not address its earlier dismissal, and the researcher's deeper concern went unanswered: this was not a new vulnerability. Facebook had patched an essentially identical flaw earlier in the year, and the same weakness had returned.
The episode also illuminated something about how Facebook managed its public image around data incidents. Internal guidance, accidentally sent to a journalist, had instructed PR staff to 'frame this as a broad industry issue and normalize the fact that this activity happens regularly' — a posture that suggested the company's instinct was to absorb criticism rather than confront the underlying risks. Whether the latest mitigation would hold remained an open question.
Facebook was already reeling from the leak of 500 million phone numbers when a researcher demonstrated something potentially more damaging: a tool that could systematically match email addresses to Facebook accounts, stripping away the privacy settings users had put in place to keep those addresses hidden.
The tool, called Facebook Email Search v1.0, could process up to 5 million email addresses in a single day. In a video that circulated on Tuesday, the researcher showed the mechanics in action. He fed a list of 65,000 email addresses into the system, and the tool began returning matches. To prove how accessible the vulnerability was, he explained that he had spent roughly $10 to purchase 200 Facebook accounts. Within three minutes, using those accounts, he had successfully linked 6,000 email addresses to their corresponding Facebook profiles.
The researcher had discovered what he believed was a serious security flaw and reported it to Facebook through the company's bug bounty program. Facebook's response was to close the report without sending it to the team that could actually address it. When the researcher pressed the issue, he says Facebook told him directly that they did not consider the vulnerability significant enough to warrant a fix. Frustrated by what he saw as dismissal of a genuine threat, he decided to go public with a demonstration of the tool's capabilities.
Facebook's official statement acknowledged the misstep. A company representative said the report had been "erroneously closed" before reaching the right team, and that Facebook appreciated the researcher bringing the information forward. The company claimed that engineers had already taken steps to disable the technique shown in the video. However, Facebook did not directly address the researcher's assertion that the company had told him the vulnerability wasn't important enough to fix.
What made this situation particularly troubling was that it wasn't a novel problem. The researcher pointed out that Facebook had patched an essentially identical vulnerability earlier in the year. The same weakness had resurfaced, and despite demonstrating it to Facebook and making the company aware of the risk, he said Facebook had declined to take action. "This is essentially the exact same vulnerability," he explained in the video.
The incident fit into a broader pattern of criticism Facebook had faced over how it handled data collection at scale. Beyond the technical vulnerabilities themselves, the company had drawn fire for the way it framed these incidents publicly. An email that Facebook had inadvertently sent to a reporter at a Dutch publication revealed internal guidance instructing public relations staff to "frame this as a broad industry issue and normalize the fact that this activity happens regularly." The message suggested Facebook was trying to downplay the significance of large-scale data harvesting by treating it as routine.
Whether anyone had actually exploited this particular vulnerability to build a comprehensive database of matched email addresses remained unclear. But the researcher's warning was stark: he believed the flaw represented a serious danger and called for help in getting it shut down. The question now was whether Facebook's claim of mitigation would hold, and whether the company would finally treat similar vulnerabilities with the urgency the researcher believed they deserved.
Notable Quotes
It appears that we erroneously closed out this bug bounty report before routing to the appropriate team.— Facebook statement
I believe this to be quite a dangerous vulnerability, and I would like help in getting this stopped.— The researcher
The Hearth Conversation Another angle on the story
Why would someone spend $10 on fake accounts just to demonstrate this? Couldn't they have shown the vulnerability without actually doing it?
The researcher needed to prove it worked at scale and in real time. A theoretical explanation wouldn't have the same weight. Showing the actual output—6,000 matches in three minutes—made it impossible for Facebook to dismiss as hypothetical.
Facebook said they mitigated it. So the problem is solved, right?
That's what concerns the researcher. This is the second time the same vulnerability has appeared. Facebook patched it earlier in the year, it came back, and when he reported it again, they said it wasn't worth fixing. That pattern suggests the company isn't being thorough.
What's the actual harm here? Email addresses aren't as sensitive as phone numbers.
Email is often the key to everything else—password resets, account recovery, identity verification. If you can link millions of emails to Facebook profiles, you've created a map that connects people's identities across the internet. That's valuable to bad actors.
Why did Facebook close the bug report without looking at it?
They said it was an error—the report didn't get routed to the right team. But the researcher says Facebook also told him directly they didn't think it was important. So it's unclear whether it was incompetence or deliberate deprioritization.
The internal email about "normalizing" data collection—that's damaging.
It suggests Facebook knows these breaches happen regularly and has decided the best strategy is to make them seem normal rather than fix the underlying problems. That's a different kind of vulnerability than the technical one.