In a post on his personal site, this blogger, known as "Abhibandu," laid out exactly how he hacked into unverified accounts on Facebook.
When you sign up for a new Facebook account, Facebook sends you an email to verify who you are. Your account is "unverified" until you check this email and either click the embedded link or punch in the five-digit code Facebook gives you.
Abhibandu was able to create a program that can guess that five-digit code within 15 minutes, meaning if someone doesn't verify his or her Facebook account right away, a hacker could potentially take it over.
Again this only worked for unverified accounts, so Abhibandu had to do a bit of homework first to find a hackable account. But he was able to do so either by guessing with an email address until Facebook asked to confirm the account, or by searching for emails on Facebook to see if they were verified. Either way, it wasn't too hard for Abhibandu.
Being the Good Samaritan that he is, Abhibandu reported this hack to Facebook and got a response within eight hours that said they were investigating the issue. The problem was fixed within three days. And Abhibandu received a nice bounty payout for notifying Facebook.