Facebook user Aaron Thompson has exposed an online thief who gained access to his account simply by sending the support team a fake passport to unlock the account.
It granted the “hacker” access to Mr Thompson’s personal and business Facebook pages.
Mr Thompson shared his experience on news site Reddit when he realised he was locked out of his accounts.
Facebook later restored them to him and apologised.
The social network decline to comment.
But the BBC understands that the decision to accept the fake ID was a mistake that violated the firm’s internal policies.
Mr Thompson, from Michigan in the US, was made aware of the chain of events that led to the hack in an email from Facebook, headed: “Description of the issue you’re encountering.”
It included this request: “Hi. I don’t have anymore access on my mobile phone number. Kindly turn off code generator and login approval from my account. Thanks.”
In fact that email had not been sent by Mr Thompson but by the hacker. He did not have access to Mr Thompson’s email address or passwords.
Facebook replied with a message, advising the impostor to send a photo or scan of their ID to “confirm you own the account”.
That scanned image was also forwarded to Mr Thompson’s email account with the response: “Thanks for verifying your identity. You should now be able to log into your account.”
Once the hacker had gained access to the account, he removed all the administrators for the sites and sent Mr Thompson’s fiancee a picture of his genitals.
Mr Thompson wrote on Reddit that he was “pretty devastated” when he realised what had happened.
“It’s blatant harassment,” he said.
At that point, he picked up the email conversation with Facebook, attempting to inform them that he was in fact the owner of the account and that previous emails and the passport ID had not been sent by him.
“Please look further into this, it will be easy to see the account has been hacked. They sent a fake ID to Facebook’s help team to reset the email, and password,” he wrote.
Mr Thompson also reached out to Facebook via Twitter and received a response from its security communications office Melanie Ensign.
He responded: “You need to make sure it can never happen again. Your security policy needs to be examined and fixed.”
Following the publication of his Reddit post, Facebook restored all his accounts.
Mr Thompson later offered the social media giant some security advice.
“This hacker was able to submit this request and hack the profile in four hours, all while I was sleeping. I didn’t even have time to see that someone was requesting this. There was no notification on Facebook, no notification on my cellphone.
“Given the severity of the theft of information if someone were to hack into your account, I think Facebook should freeze the account to see if the owner does eventually use the original email or phone number to get back into the account.”
He also pointed out that if a request comes from a “suspicious IP address that seems unrelated with the normal IP of the account”, it should not be accepted.