• Teqefy
  • Posts
  • Got Paid $30,000 for Hacking Instagram

Got Paid $30,000 for Hacking Instagram

How I Got $30K from Facebook for a Simple Instagram Hack ( Story-Time )

In partnership with

Escaping AI POC purgatory: Techniques for enterprise AI engineers

Many companies struggle to move generative AI from experimentation to production.

Join us Oct. 29 at 9am PT. Sam Julien, Writer's Director of Developer Relations, will share practical strategies to overcome enterprise AI engineering challenges using a full-stack approach.

Topics include:

  • Managing project scope

  • Improving accuracy with domain-specific models & graph-based RAG

  • Navigating AI application development

  • Can’t make it live? Register anyway and we’ll send you the recording.

Facebook paid $30,000 to Mayur Fartade for discovering an Instagram bug that exposed private posts and stories to anyone. In this email, we’re diving into the full story of how Mayur found this vulnerability, reported it, and ultimately earned a massive bounty.

So, grab a seat because it’s story-time, and we’re talking about how a simple security flaw led to a $30K payout. 😱

Here the story

Mayur Fartade, a security researcher from Maharashtra, comes across a vulnerability in Instagram. We’re talking about a bug that could’ve let anyone see private and archived posts, stories, and reels — all without even following the account. Sounds like a nightmare for privacy, right?

What He Found 👀

Here’s the juicy part: by using something called “media IDs” and some smart API tricks, Mayur discovered a way to unlock the details of these private posts. Likes, comments, the actual images — all up for grabs by just tweaking a few parameters. It was like he had found a hidden backdoor to Instagram's vault!

How Did He Do It? 🧑‍💻

Without getting too technical, here’s a breakdown:

  1. He got his hands on the media ID (that’s the unique code for posts, reels, and stories).

  2. Sent a simple POST request to Instagram’s ads API.

  3. Voilà! He had access to private info like URLs, like counts, and even linked Facebook pages.

But here’s the wild twist: all of this was happening without the user ever knowing. Just imagine the kind of havoc that could’ve caused!

Facebook’s Response 📧

Mayur, being a responsible hacker (a.k.a. ethical hacker), didn’t keep this to himself. He reported the bug to Facebook’s security team on April 16th, 2021, and after a bit of back and forth, they patched it up. It took a little time, but by April 29th, they fixed it.

And guess what? After reviewing his findings, Facebook paid Mayur $30,000 for discovering this vulnerability. 🎉

Here the link of Mayur Fartade blog > Click here

Want to join Facebook Bug Bounty Program?

If you’re interested in discovering vulnerabilities and earning rewards like Mayur, the Facebook Bug Bounty Program is the perfect opportunity for you! By participating, you can help improve the security of Facebook’s platforms while also getting paid for your findings. Whether you’re a seasoned security researcher or just starting your journey in ethical hacking, there’s a place for you in this community. Ready to make a difference? Check out the program details and sign up at HackerOne - Meta Bug Bounty Program to start your journey today!

Bug Bounty rewards

Bug

Level

Reword

Page admin disclosure

Hard

$5k

Contact point deanonimat

Hard

$10k

Quest Persistent full secure boot bypass

Hard

$30k

2FA Bypass

Hard

$20k

Account Takeover

Hard

$130k

Mobile RCE

Hard

$300kMobile RCE

Total rewards for 2024

$1,920,559

Total rewards to date

$16,413,579

Reply

or to participate.