{"id":13444,"date":"2026-06-07T10:03:52","date_gmt":"2026-06-07T10:03:52","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/07\/instagram-fixes-password-reset-flaw-that-exposes-user-emails-and-phone-numbers\/"},"modified":"2026-06-07T10:03:52","modified_gmt":"2026-06-07T10:03:52","slug":"instagram-fixes-password-reset-flaw-that-exposes-user-emails-and-phone-numbers","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/07\/instagram-fixes-password-reset-flaw-that-exposes-user-emails-and-phone-numbers\/","title":{"rendered":"Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers"},"content":{"rendered":"<p>    Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A critical logic bug in Instagram\u2019s web-based password reset flow on June 6, 2026, exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez.<\/p>\n<p class=\"wp-block-paragraph\">Instagram\u2019s parent company Meta deployed an emergency hotfix within hours of the disclosure, but not before proof-of-concept screenshots circulated widely on social media, demonstrating the scope of the vulnerability.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerability resided in Instagram\u2019s web-based password reset interface, where the account recovery screen, designed to display only partially redacted recovery options, failed to properly mask sensitive contact data before presenting it to the requesting party.<\/p>\n<p class=\"wp-block-paragraph\">Researchers discovered that by initiating a standard password reset for any given username, the response returned fully visible email addresses and phone numbers rather than the partially obscured versions Instagram normally shows (e.g., <code>m***@fb.com<\/code>).<\/p>\n<p class=\"wp-block-paragraph\">Proof-of-concept screenshots shared by security community accounts, including @vxunderground, showed login screens for accounts such as <code>zuck<\/code> revealing multiple associated emails alongside a linked phone number. This constitutes a direct violation of Meta\u2019s data minimization policies and potentially GDPR Article 25 obligations around privacy by design.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-x\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Meta is still having some minor security problems. Instagram is currently exposing phone numbers and email addresses associated with accounts when trying to perform a password reset<\/p>\n<p>This is cool and badass because everyone is sharing Mark Zuckerbergs phone number right now<\/p>\n<p>\u2014 vx-underground (@vxunderground) <a href=\"https:\/\/x.com\/vxunderground\/status\/2063360297247572365?ref_src=twsrc%5Etfw\">June 6, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">The bug was first spotted and publicly demonstrated on June 6, 2026, by security researchers monitoring Meta\u2019s account recovery infrastructure.<\/p>\n<p class=\"wp-block-paragraph\">Within hours of the demonstrations going viral, security researcher @Scot0xo confirmed on X that the flaw was a logic bug in the web reset flow, not an API credential leak or server-side breach that leaked sensitive account data before Meta responded with a targeted emergency hotfix.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-x wp-block-embed-x\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-x\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Meta is moving from one security failure to another. A few hours ago, a new logic bug dropped in the Web Reset flow, leaking sensitive account data before getting hit with an emergency hotfix. This is what happens when you fire the experts and rely on brain-dead AI to run core\u2026 <a href=\"https:\/\/t.co\/qbjEhVjUQi\">pic.twitter.com\/qbjEhVjUQi<\/a><\/p>\n<p>\u2014 Scot (@Scot0xo) <a href=\"https:\/\/x.com\/Scot0xo\/status\/2063309762339697000?ref_src=twsrc%5Etfw\">June 6, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.x.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p class=\"wp-block-paragraph\">Meta confirmed the patch was applied rapidly, echoing its standard response posture: \u201cWe fixed an issue that allowed an external party to request password reset emails for some Instagram users. There was no breach of our systems.\u201d<\/p>\n<p class=\"wp-block-paragraph\">This incident is the latest in a string of Instagram security issues in 2026. In January, a similar password reset abuse allowed third parties to trigger reset emails en masse, coinciding with the alleged leak of 17.5 million Instagram user records on dark web forums.<\/p>\n<p class=\"wp-block-paragraph\">In early June, a <a href=\"https:\/\/cybersecuritynews.com\/metas-ai-support-bot-instagram\/\" target=\"_blank\" rel=\"noreferrer noopener\">separate vulnerability in Meta\u2019s AI-powered support chatbot<\/a> was exploited by threat actors who used prompt injection to hijack high-profile accounts, including the White House archive page and U.S. Space Force accounts, by convincing the bot to link target accounts to attacker-controlled email addresses.<\/p>\n<p class=\"wp-block-paragraph\">Security researchers have attributed the increasing frequency of these failures partly to architectural decisions around AI-driven automation of sensitive account functions, noting that granting AI systems privileged access to account recovery without robust identity verification creates systemic risk.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/instagram-confirms-no-system-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">Meta confirmed that no widespread data exfiltration<\/a> occurred in the June 6 incident. However, even brief exposure of unredacted account recovery data creates meaningful risk for phishing, SIM-swapping, and targeted account takeover attacks. The enumeration of multiple email addresses tied to a single account could also help adversaries map identity infrastructure across services.<\/p>\n<p class=\"wp-block-paragraph\">Meta has not disclosed a CVE identifier for this logic flaw as of publication time. Users and security teams should continue monitoring Meta\u2019s security advisories for further disclosure details.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/instagram-password-reset-user-phone\/\">Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/instagram-password-reset-user-phone\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers A critical logic bug in Instagram\u2019s web-based password reset flow on June 6, 2026, exposed unredacted email addresses and phone numbers associated with user accounts, including those belonging to high-profile individuals such as Meta CEO Mark Zuckerberg and model Georgina Rodriguez. Instagram\u2019s parent [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-13444","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13444"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13444"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13444\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13444"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13444"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13444"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}