Not just that, but there was a self-help page for self-registering your own account (the first screenshot):
> It seems that Facebook was trying to avoid the creation of accounts in Accellion after removing the register form from the pageview
> I discovered that if you know the direct ___location of the form (/courier/web/1000@/wmReg.html), You can easily bypass that protection and create an account in files.fb.com,
Once he created his own accounts, he could test out his exploit code on his created accounts.
> It seems that Facebook was trying to avoid the creation of accounts in Accellion after removing the register form from the pageview
> I discovered that if you know the direct ___location of the form (/courier/web/1000@/wmReg.html), You can easily bypass that protection and create an account in files.fb.com,
Once he created his own accounts, he could test out his exploit code on his created accounts.