Maybe a new version of the directory harvest attack[0]?
For example, if someone has an email address (or list of email addresses) from somewhere else, one can easily tell if you (or they) have a Facebook account by simply requesting a password reset against it (them). If there's no throttling on password reset requests, one could process a large list rather quickly.
Oh - that sounds entirely likely. I'd be surprised if Facebook allowed unthrottled password resets but the bad people are so clever these day, who knows. Thanks for insight.
Maybe a new version of the directory harvest attack[0]?
For example, if someone has an email address (or list of email addresses) from somewhere else, one can easily tell if you (or they) have a Facebook account by simply requesting a password reset against it (them). If there's no throttling on password reset requests, one could process a large list rather quickly.
[0] - https://docs.microsoft.com/en-us/exchange/recipient-filterin...