"Frankly, I don't think such a rate limit ever existed on the mobile version [of the website]," Suriya said Wednesday.

The researcher claims that his tests lasted eight days and included searching for sets of 10,000 phone numbers one after the other using the same account and the same IP address without getting blocked

"My tests were blocked around 10 PM CST on Monday," Borland said Wednesday via email. "I built a check into the original script for logouts or irregular HTTP responses (403, 5xx, 3xx, etc.) for when something like this would happen. Facebook logs you out when your account gets banned, so it was easy to tell when the patch got rolled out."

"I most certainly believe it was fixed when the media frenzy happened," he said. "It was literally less than a day when the story broke out that a fix was pushed out."

Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, confirmed that earlier on Monday he was initially able to use Borland's script to perform over 5,000 search queries. However, when he tried again on Tuesday his Facebook account got locked down for 24 hours.