The search-rate limitation that Facebook implemented on Monday still allowed around 300 requests to be made from an account, Borland said.

This means that attacks were still possible, especially if run from multiple accounts, because of the method's high success rate. "I gathered an average of 40-60 numbers with one account during those 300 requests/account," the researcher said.

However, the limit appears to have been was drastically lowered today. "As of 10 AM CST on Wednesday I could only do 10-30 requests before getting the 'badboy' account lockout," Borland said in a .

"Quite honestly, I'm still not sure why an account name or Facebook id needs to be attached to a phone lookup result," he said. "It should only give an option to send a friend request by that number if it existed, like you would with an email."

"I really wish it did not come to such a public disclosure but they [Facebook] really left me no choice," Suriya said, referring to the breakdown in communication between him and the Facebook Security team that eventually led to his public disclosure on Friday.