Vulnerability in Password Reset Flow
A logic flaw in Instagram’s web based password reset interface briefly exposed unredacted email addresses and phone numbers tied to user accounts. The bug occurred when the account recovery screen, which normally displays only partially masked contact information, returned fully visible data instead. Security researchers discovered that initiating a standard password reset for any Instagram username could reveal complete email addresses and phone numbers rather than the obscured versions typically shown.
Proof of concept screenshots circulated widely on social media, demonstrating the scope of the issue. Accounts belonging to high profile individuals, including Meta CEO Mark Zuckerberg, had associated contact details visibly exposed. The flaw constituted a direct violation of Meta’s data minimization policies and potentially GDPR privacy by design requirements, making it a significant data exposure incident.
Meta’s Response and Impact
Meta deployed an emergency hotfix within hours of the vulnerability being publicly demonstrated on June 6, 2026. Security researcher @Scot0xo confirmed the issue was a logic bug in the web reset flow, not an API credential leak or server side breach. The company moved quickly to address the flaw after proof of concept examples went viral across social media platforms, though the exposure already affected numerous users.
The incident underscores ongoing challenges in Meta’s account recovery infrastructure and raises questions about security practices following workforce reductions. While the emergency patch resolved the immediate vulnerability, the exposure of contact data for both ordinary users and high profile figures highlights the risks inherent in password reset mechanisms that handle sensitive personally identifiable information.
Source: Cyber Security News
