CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 07, 2026

Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers

Cybersecurity News Archived Jun 07, 2026 ✓ Full text saved

A critical logic bug in Instagram’s web-based password reset flow on June 6, 2026, exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez. Instagram’s parent company Meta deployed an emergency hotfix within hours of the disclosure, but […] The post Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers appeared first on Cyber Sec

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers By Guru Baran June 7, 2026 A critical logic bug in Instagram’s web-based password reset flow on June 6, 2026, exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez. Instagram’s parent company Meta deployed an emergency hotfix within hours of the disclosure, but not before proof-of-concept screenshots circulated widely on social media, demonstrating the scope of the vulnerability. The vulnerability resided in Instagram’s web-based password reset interface, where the account recovery screen, designed to display only partially redacted recovery options, failed to properly mask sensitive contact data before presenting it to the requesting party. Researchers discovered that by initiating a standard password reset for any given username, the response returned fully visible email addresses and phone numbers rather than the partially obscured versions Instagram normally shows (e.g., m***@fb.com). Proof-of-concept screenshots shared by security community accounts, including @vxunderground, showed login screens for accounts such as zuck revealing multiple associated emails alongside a linked phone number. This constitutes a direct violation of Meta’s data minimization policies and potentially GDPR Article 25 obligations around privacy by design. META IS STILL HAVING SOME MINOR SECURITY PROBLEMS. INSTAGRAM IS CURRENTLY EXPOSING PHONE NUMBERS AND EMAIL ADDRESSES ASSOCIATED WITH ACCOUNTS WHEN TRYING TO PERFORM A PASSWORD RESET THIS IS COOL AND BADASS BECAUSE EVERYONE IS SHARING MARK ZUCKERBERGS PHONE NUMBER RIGHT NOW — vx-underground (@vxunderground) June 6, 2026 The bug was first spotted and publicly demonstrated on June 6, 2026, by security researchers monitoring Meta’s account recovery infrastructure. Within hours of the demonstrations going viral, security researcher @Scot0xo confirmed on X that the flaw was a logic bug in the web reset flow, not an API credential leak or server-side breach that leaked sensitive account data before Meta responded with a targeted emergency hotfix. META IS MOVING FROM ONE SECURITY FAILURE TO ANOTHER. A FEW HOURS AGO, A NEW LOGIC BUG DROPPED IN THE WEB RESET FLOW, LEAKING SENSITIVE ACCOUNT DATA BEFORE GETTING HIT WITH AN EMERGENCY HOTFIX. THIS IS WHAT HAPPENS WHEN YOU FIRE THE EXPERTS AND RELY ON BRAIN-DEAD AI TO RUN CORE… PIC.TWITTER.COM/QBJEHVJUQI — Scot (@Scot0xo) June 6, 2026 Meta confirmed the patch was applied rapidly, echoing its standard response posture: “We fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.” This incident is the latest in a string of Instagram security issues in 2026. In January, a similar password reset abuse allowed third parties to trigger reset emails en masse, coinciding with the alleged leak of 17.5 million Instagram user records on dark web forums. In early June, a separate vulnerability in Meta’s AI-powered support chatbot was exploited by threat actors who used prompt injection to hijack high-profile accounts, including the White House archive page and U.S. Space Force accounts, by convincing the bot to link target accounts to attacker-controlled email addresses. Security researchers have attributed the increasing frequency of these failures partly to architectural decisions around AI-driven automation of sensitive account functions, noting that granting AI systems privileged access to account recovery without robust identity verification creates systemic risk. Meta confirmed that no widespread data exfiltration occurred in the June 6 incident. However, even brief exposure of unredacted account recovery data creates meaningful risk for phishing, SIM-swapping, and targeted account takeover attacks. The enumeration of multiple email addresses tied to a single account could also help adversaries map identity infrastructure across services. Meta has not disclosed a CVE identifier for this logic flaw as of publication time. Users and security teams should continue monitoring Meta’s security advisories for further disclosure details. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Let’s Encrypt Unveils Merkle Tree Certificates to Secure the Web Against Quantum Threats Hackers Use Fake Purchase Orders to Deploy JS.MonoGlyphRAT Targeting US Enterprises Claude Down for Users Worldwide as Hundreds Report Service Issues Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 Microsoft Office for the Web and Teams Hit by File Access Outage Latest News Cyber Security New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks Cyber Security Free Apps on Samsung and LG Smart TVs Secretly Turning Your Devices Into AI Proxies Cyber Security News CISA Warns of SolarWinds Serv-U Vulnerability Exploited in Attacks Cyber Security News Top 5 Best Tools for Simulated DDoS Attacks in 2026 Cyber Security News Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 07, 2026
    Archived
    Jun 07, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗