A security issue in Facebook’s login procedure made it possible for attackers to take-over random accounts. The vulnerability allowed attackers to add their own mail address and phone number to the account of another user.
By requesting a password reset, they could change the password and login to the account. To perform the attack, the attacker first needed to trick the victim into clicking a specifically prepared link.
Security researcher Samm0uda discovered the issue and reported it to Facebook on January 26th this year. The social network fixed the issue within 5 days and awarded the security researcher a $25,000 bounty.